First published: Fri Jan 28 2022(Updated: )
A remote code execution vulnerability was discovered on Western Digital My Cloud devices where an attacker could trick a NAS device into loading through an unsecured HTTP call. This was a result insufficient verification of calls to the device. The vulnerability was addressed by disabling checks for internet connectivity using HTTP.
Credit: psirt@wdc.com
Affected Software | Affected Version | How to fix |
---|---|---|
Westerndigital My Cloud Os | <5.19.117 | |
Westerndigital My Cloud | ||
Westerndigital My Cloud Dl2100 | ||
Westerndigital My Cloud Dl4100 | ||
Westerndigital My Cloud Ex2 Ultra | ||
Westerndigital My Cloud Ex2100 | ||
Westerndigital My Cloud Ex4100 | ||
Westerndigital My Cloud Mirror Gen 2 | ||
Westerndigital My Cloud Pr2100 | ||
Westerndigital My Cloud Pr4100 | ||
Westerndigital Wd Cloud | ||
Western Digital MyCloud PR4100 |
Update your My Cloud device to firmware version 5.19.117.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this vulnerability is CVE-2022-22994.
The severity of CVE-2022-22994 is critical with a CVSS score of 9.8.
Network-adjacent attackers can exploit CVE-2022-22994 to execute arbitrary code on affected installations of Western Digital MyCloud PR4100 without authentication.
The affected software by CVE-2022-22994 is Western Digital My Cloud OS version up to 5.19.117.
To fix CVE-2022-22994, update the firmware of Western Digital MyCloud PR4100 to version 5.19.117 or later.