Headline
CVE-2023-22816: WDC-23010 My Cloud Firmware Version 5.26.300 | Western Digital
A post-authentication remote command injection vulnerability in a CGI file in Western Digital My Cloud OS 5 devices that could allow an attacker to build files with redirects and execute larger payloads. This issue affects My Cloud OS 5 devices: before 5.26.300.
WDC Tracking Number: WDC-23010
Product Line: My Cloud
Published: June 23, 2023
Last Updated: June 23, 2023
Description
My Cloud OS 5 Firmware 5.26.300 includes updates to help improve the security of your My Cloud OS 5 devices.
To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.
Product Impact
Minimum Fix Version
Last Updated
My Cloud PR2100
5.26.300
June 21, 2023
My Cloud PR4100
5.26.300
June 21, 2023
My Cloud EX4100
5.26.300
June 21, 2023
My Cloud EX2 Ultra
5.26.300
June 21, 2023
My Cloud Mirror G2
5.26.300
June 21, 2023
My Cloud DL2100
5.26.300
June 21, 2023
My Cloud DL4100
5.26.300
June 21, 2023
My Cloud EX2100
5.26.300
June 21, 2023
My Cloud
5.26.300
June 21, 2023
WD Cloud
5.26.300
June 21, 2023
For more information on the latest security updates, see the release notes.
Advisory Summary
Addressed a post-authentication remote command injection vulnerability in a CGI file that could allow an attacker to build files with redirects and execute larger payloads.
CVE Number: CVE-2023-22816
Western Digital would like to thank Wil Gibbs and Arvind S Raj for reporting this issue.
Addressed post-authentication remote command injection vulnerabilities that could allow an attacker to execute code in the context of the root user on vulnerable CGI files.
CVE Number: CVE-2023-22815
Western Digital would like to thank Nikita Abramov (Positive Technologies) for reporting this issue.