First published: Fri Jun 30 2023(Updated: )
Post-authentication remote command injection vulnerability in Western Digital My Cloud OS 5 devices that could allow an attacker to execute code in the context of the root user on vulnerable CGI files. This vulnerability can only be exploited over the network and the attacker must already have admin/root privileges to carry out the exploit. An authentication bypass is required for this exploit, thereby making it more complex. The attack may not require user interaction. Since an attacker must already be authenticated, the confidentiality impact is low while the integrity and availability impact is high. This issue affects My Cloud OS 5 devices: before 5.26.300.
Credit: psirt@wdc.com psirt@wdc.com
Affected Software | Affected Version | How to fix |
---|---|---|
Westerndigital My Cloud Os | <5.26.300 | |
Westerndigital My Cloud | ||
Westerndigital My Cloud Dl2100 | ||
Westerndigital My Cloud Dl4100 | ||
Westerndigital My Cloud Ex2 Ultra | ||
Westerndigital My Cloud Ex2100 | ||
Westerndigital My Cloud Ex4100 | ||
Westerndigital My Cloud Mirror G2 | ||
Westerndigital My Cloud Pr2100 | ||
Westerndigital My Cloud Pr4100 | ||
Westerndigital Wd Cloud | ||
All of | ||
Any of | ||
Westerndigital My Cloud | ||
Westerndigital My Cloud Dl2100 | ||
Westerndigital My Cloud Dl4100 | ||
Westerndigital My Cloud Ex2 Ultra | ||
Westerndigital My Cloud Ex2100 | ||
Westerndigital My Cloud Ex4100 | ||
Westerndigital My Cloud Mirror G2 | ||
Westerndigital My Cloud Pr2100 | ||
Westerndigital My Cloud Pr4100 | ||
Westerndigital Wd Cloud | ||
Westerndigital My Cloud Os | <5.26.300 |
Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-22815 is a post-authentication remote command injection vulnerability in Western Digital My Cloud OS 5 devices that could allow an attacker to execute code with root privileges.
This vulnerability can only be exploited over the network and the attacker must already have administrative access to the affected device.
CVE-2023-22815 has a severity rating of medium with a CVSS score of 6.7.
Western Digital My Cloud OS 5 devices up to version 5.26.300 are affected by this vulnerability.
To fix CVE-2023-22815, it is recommended to update the firmware of the affected Western Digital My Cloud OS 5 device to version 5.26.300 or later.