CVE-2023-22815: Post-authentication remote command injection vulnerability on Western Digital My Cloud OS 5 devices
First published: Fri Jun 30 2023(Updated: )
Post-authentication remote command injection vulnerability in Western Digital My Cloud OS 5 devices that could allow an attacker to execute code in the context of the root user on vulnerable CGI files. This vulnerability can only be exploited over the network and the attacker must already have admin/root privileges to carry out the exploit. An authentication bypass is required for this exploit, thereby making it more complex. The attack may not require user interaction. Since an attacker must already be authenticated, the confidentiality impact is low while the integrity and availability impact is high. This issue affects My Cloud OS 5 devices: before 5.26.300.
Credit: psirt@wdc.com psirt@wdc.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Westerndigital My Cloud Os | <5.26.300 | |
| Westerndigital My Cloud | ||
| Westerndigital My Cloud Dl2100 | ||
| Westerndigital My Cloud Dl4100 | ||
| Westerndigital My Cloud Ex2 Ultra | ||
| Westerndigital My Cloud Ex2100 | ||
| Westerndigital My Cloud Ex4100 | ||
| Westerndigital My Cloud Mirror G2 | ||
| Westerndigital My Cloud Pr2100 | ||
| Westerndigital My Cloud Pr4100 | ||
| Westerndigital Wd Cloud | ||
| All of | ||
| Any of | ||
| Westerndigital My Cloud | ||
| Westerndigital My Cloud Dl2100 | ||
| Westerndigital My Cloud Dl4100 | ||
| Westerndigital My Cloud Ex2 Ultra | ||
| Westerndigital My Cloud Ex2100 | ||
| Westerndigital My Cloud Ex4100 | ||
| Westerndigital My Cloud Mirror G2 | ||
| Westerndigital My Cloud Pr2100 | ||
| Westerndigital My Cloud Pr4100 | ||
| Westerndigital Wd Cloud | ||
| Westerndigital My Cloud Os | <5.26.300 |
Remedy
Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-22815?
CVE-2023-22815 is a post-authentication remote command injection vulnerability in Western Digital My Cloud OS 5 devices that could allow an attacker to execute code with root privileges.
How can this vulnerability be exploited?
This vulnerability can only be exploited over the network and the attacker must already have administrative access to the affected device.
What is the severity of CVE-2023-22815?
CVE-2023-22815 has a severity rating of medium with a CVSS score of 6.7.
Which Western Digital My Cloud OS 5 devices are affected by CVE-2023-22815?
Western Digital My Cloud OS 5 devices up to version 5.26.300 are affected by this vulnerability.
How can I fix CVE-2023-22815?
To fix CVE-2023-22815, it is recommended to update the firmware of the affected Western Digital My Cloud OS 5 device to version 5.26.300 or later.
- collector/nvd-index
- agent/author
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/references
- agent/weakness
- agent/title
- agent/last-modified-date
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/westerndigital
- canonical/westerndigital my cloud os
- canonical/westerndigital my cloud
- canonical/westerndigital my cloud dl2100
- canonical/westerndigital my cloud dl4100
- canonical/westerndigital my cloud ex2 ultra
- canonical/westerndigital my cloud ex2100
- canonical/westerndigital my cloud ex4100
- canonical/westerndigital my cloud mirror g2
- canonical/westerndigital my cloud pr2100
- canonical/westerndigital my cloud pr4100
- canonical/westerndigital wd cloud