CVE-2021-36226
Description
Western Digital My Cloud devices before OS5 do not use cryptographically signed Firmware upgrade files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Western Digital My Cloud devices before OS5 accept unsigned firmware updates, allowing unauthenticated attackers to install malicious firmware and gain root access.
Vulnerability
Western Digital My Cloud devices running OS3 (firmware versions up to 2.40.157) do not cryptographically verify firmware upgrade files before installation [1], [2]. This allows an attacker to craft a malicious firmware image that will be accepted and installed without signature validation.
Exploitation
An unauthenticated attacker on the network can initiate a firmware upgrade using a low-privileged account with a blank password (CVE-2021-36224 and CVE-2021-36225) [1]. The attacker then uploads a malicious firmware image lacking any cryptographic signature; the device installs it without verification, granting persistent code execution [2].
Impact
Successful exploitation gives the attacker remote code execution as root on the device [1]. The malicious firmware persists across reboots, providing full control over the NAS and potentially compromising stored data [2].
Mitigation
Western Digital released My Cloud OS5, which includes cryptographic verification of firmware upgrades [1], [2]. Users should upgrade to OS5 or later. For devices that cannot upgrade, no workaround is available; they remain vulnerable.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Western Digital/My Clouddescription
- Range: < OS5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.