Wd My Cloud
CVEs (20)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-17153 | Cri | 0.74 | 9.8 | 0.87 | Sep 18, 2018 | It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining… | ||
| CVE-2018-9148 | Cri | 0.64 | 9.8 | 0.04 | Mar 30, 2018 | Western Digital WD My Cloud v04.05.00-320 devices embed the session token (aka PHPSESSID) in filenames, which makes it easier for attackers to bypass authentication by listing a directory. NOTE: this can be exploited in conjunction with CVE-2018-7171 for remote authentication… | ||
| CVE-2025-30247 | Cri | 0.61 | — | 0.01 | Sep 29, 2025 | An OS command injection vulnerability in user interface in Western Digital My Cloud firmware prior to 5.31.108 on NAS platforms allows remote attackers to execute arbitrary system commands via a specially crafted HTTP POST. | ||
| CVE-2024-22170 | Cri | 0.60 | — | 0.00 | Sep 27, 2024 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Western Digital My Cloud ddns-start on Linux allows Overflow Buffers.This issue affects My Cloud: before 5.29.102. | ||
| CVE-2024-22168 | Med | 0.38 | — | 0.00 | Jun 24, 2024 | A Cross-Site Scripting (XSS) vulnerability on the My Cloud, My Cloud Home, SanDisk ibi, and WD Cloud web apps was found which could allow an attacker to redirect the user to a crafted domain and reset their credentials, or to execute arbitrary client-side code in the user’s… | ||
| CVE-2020-25765 | 0.01 | — | 0.06 | Oct 27, 2020 | Addressed remote code execution vulnerability in reg_device.php due to insufficient validation of user input.in Western Digital My Cloud Devices prior to 5.4.1140. | |||
| CVE-2021-36225 | 0.00 | — | 0.01 | Feb 6, 2023 | Western Digital My Cloud devices before OS5 allow REST API access by low-privileged accounts, as demonstrated by API commands for firmware uploads and installation. | |||
| CVE-2021-36224 | 0.00 | — | 0.01 | Feb 6, 2023 | Western Digital My Cloud devices before OS5 have a nobody account with a blank password. | |||
| CVE-2022-29838 | 0.00 | — | 0.00 | Dec 9, 2022 | Improper Authentication vulnerability in the encrypted volumes and auto mount features of Western Digital My Cloud devices allows insecure direct access to the drive information in the case of a device reset. This issue affects: Western Digital My Cloud My Cloud versions prior… | |||
| CVE-2022-29839 | 0.00 | — | 0.00 | Dec 9, 2022 | Insufficiently Protected Credentials vulnerability in the remote backups application on Western Digital My Cloud devices that could allow an attacker who has gained access to a relevant endpoint to use that information to access protected data. This issue affects: Western… | |||
| CVE-2022-22999 | 0.00 | — | 0.00 | Jul 25, 2022 | Western Digital My Cloud devices are vulnerable to a cross side scripting vulnerability that can allow a malicious user with elevated privileges access to drives being backed up to construct and inject JavaScript payloads into an authenticated user's browser. As a result, it may… | |||
| CVE-2022-22994 | 0.00 | — | 0.02 | Jan 28, 2022 | A remote code execution vulnerability was discovered on Western Digital My Cloud devices where an attacker could trick a NAS device into loading through an unsecured HTTP call. This was a result insufficient verification of calls to the device. The vulnerability was addressed by… | |||
| CVE-2022-22993 | 0.00 | — | 0.01 | Jan 28, 2022 | A limited SSRF vulnerability was discovered on Western Digital My Cloud devices that could allow an attacker to impersonate a server and reach any page on the server by bypassing access controls. The vulnerability was addressed by creating a whitelist for valid parameters. | |||
| CVE-2022-22990 | 0.00 | — | 0.02 | Jan 13, 2022 | A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate privileges on the My Cloud devices. Addressed this vulnerability by changing access token validation logic and rewriting rule logic on PHP… | |||
| CVE-2020-27160 | 0.00 | — | 0.05 | Oct 27, 2020 | Addressed remote code execution vulnerability in AvailableApps.php that allowed escalation of privileges in Western Digital My Cloud NAS devices prior to 5.04.114 (issue 3 of 3). | |||
| CVE-2020-12830 | 0.00 | — | 0.03 | Oct 27, 2020 | Addressed multiple stack buffer overflow vulnerabilities that could allow an attacker to carry out escalation of privileges through unauthorized remote code execution in Western Digital My Cloud devices before 5.04.114. | |||
| CVE-2019-9949 | 0.00 | — | 0.03 | May 23, 2019 | Western Digital My Cloud Cloud, Mirror Gen2, EX2 Ultra, EX2100, EX4100, DL2100, DL4100, PR2100 and PR4100 before firmware 2.31.183 are affected by a code execution (as root, starting from a low-privilege user session) vulnerability. The cgi-bin/webfile_mgr.cgi file allows… | |||
| CVE-2019-9951 | 0.00 | — | 0.02 | Apr 24, 2019 | Western Digital My Cloud, My Cloud Mirror Gen2, My Cloud EX2 Ultra, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100 and My Cloud PR4100 firmware before 2.31.174 is affected by an unauthenticated file upload vulnerability. The page… | |||
| CVE-2019-9950 | 0.00 | — | 0.02 | Apr 24, 2019 | Western Digital My Cloud, My Cloud Mirror Gen2, My Cloud EX2 Ultra, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100 and My Cloud PR4100 firmware before 2.31.174 is affected by an authentication bypass vulnerability. The login_mgr.cgi file… | |||
| CVE-2014-5876 | 0.00 | — | 0.00 | Sep 11, 2014 | The WD My Cloud (aka com.wdc.wd2go) application 4.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
- risk 0.74cvss 9.8epss 0.87
It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining…
- risk 0.64cvss 9.8epss 0.04
Western Digital WD My Cloud v04.05.00-320 devices embed the session token (aka PHPSESSID) in filenames, which makes it easier for attackers to bypass authentication by listing a directory. NOTE: this can be exploited in conjunction with CVE-2018-7171 for remote authentication…
- risk 0.61cvss —epss 0.01
An OS command injection vulnerability in user interface in Western Digital My Cloud firmware prior to 5.31.108 on NAS platforms allows remote attackers to execute arbitrary system commands via a specially crafted HTTP POST.
- risk 0.60cvss —epss 0.00
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Western Digital My Cloud ddns-start on Linux allows Overflow Buffers.This issue affects My Cloud: before 5.29.102.
- risk 0.38cvss —epss 0.00
A Cross-Site Scripting (XSS) vulnerability on the My Cloud, My Cloud Home, SanDisk ibi, and WD Cloud web apps was found which could allow an attacker to redirect the user to a crafted domain and reset their credentials, or to execute arbitrary client-side code in the user’s…
- CVE-2020-25765Oct 27, 2020risk 0.01cvss —epss 0.06
Addressed remote code execution vulnerability in reg_device.php due to insufficient validation of user input.in Western Digital My Cloud Devices prior to 5.4.1140.
- CVE-2021-36225Feb 6, 2023risk 0.00cvss —epss 0.01
Western Digital My Cloud devices before OS5 allow REST API access by low-privileged accounts, as demonstrated by API commands for firmware uploads and installation.
- CVE-2021-36224Feb 6, 2023risk 0.00cvss —epss 0.01
Western Digital My Cloud devices before OS5 have a nobody account with a blank password.
- CVE-2022-29838Dec 9, 2022risk 0.00cvss —epss 0.00
Improper Authentication vulnerability in the encrypted volumes and auto mount features of Western Digital My Cloud devices allows insecure direct access to the drive information in the case of a device reset. This issue affects: Western Digital My Cloud My Cloud versions prior…
- CVE-2022-29839Dec 9, 2022risk 0.00cvss —epss 0.00
Insufficiently Protected Credentials vulnerability in the remote backups application on Western Digital My Cloud devices that could allow an attacker who has gained access to a relevant endpoint to use that information to access protected data. This issue affects: Western…
- CVE-2022-22999Jul 25, 2022risk 0.00cvss —epss 0.00
Western Digital My Cloud devices are vulnerable to a cross side scripting vulnerability that can allow a malicious user with elevated privileges access to drives being backed up to construct and inject JavaScript payloads into an authenticated user's browser. As a result, it may…
- CVE-2022-22994Jan 28, 2022risk 0.00cvss —epss 0.02
A remote code execution vulnerability was discovered on Western Digital My Cloud devices where an attacker could trick a NAS device into loading through an unsecured HTTP call. This was a result insufficient verification of calls to the device. The vulnerability was addressed by…
- CVE-2022-22993Jan 28, 2022risk 0.00cvss —epss 0.01
A limited SSRF vulnerability was discovered on Western Digital My Cloud devices that could allow an attacker to impersonate a server and reach any page on the server by bypassing access controls. The vulnerability was addressed by creating a whitelist for valid parameters.
- CVE-2022-22990Jan 13, 2022risk 0.00cvss —epss 0.02
A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate privileges on the My Cloud devices. Addressed this vulnerability by changing access token validation logic and rewriting rule logic on PHP…
- CVE-2020-27160Oct 27, 2020risk 0.00cvss —epss 0.05
Addressed remote code execution vulnerability in AvailableApps.php that allowed escalation of privileges in Western Digital My Cloud NAS devices prior to 5.04.114 (issue 3 of 3).
- CVE-2020-12830Oct 27, 2020risk 0.00cvss —epss 0.03
Addressed multiple stack buffer overflow vulnerabilities that could allow an attacker to carry out escalation of privileges through unauthorized remote code execution in Western Digital My Cloud devices before 5.04.114.
- CVE-2019-9949May 23, 2019risk 0.00cvss —epss 0.03
Western Digital My Cloud Cloud, Mirror Gen2, EX2 Ultra, EX2100, EX4100, DL2100, DL4100, PR2100 and PR4100 before firmware 2.31.183 are affected by a code execution (as root, starting from a low-privilege user session) vulnerability. The cgi-bin/webfile_mgr.cgi file allows…
- CVE-2019-9951Apr 24, 2019risk 0.00cvss —epss 0.02
Western Digital My Cloud, My Cloud Mirror Gen2, My Cloud EX2 Ultra, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100 and My Cloud PR4100 firmware before 2.31.174 is affected by an unauthenticated file upload vulnerability. The page…
- CVE-2019-9950Apr 24, 2019risk 0.00cvss —epss 0.02
Western Digital My Cloud, My Cloud Mirror Gen2, My Cloud EX2 Ultra, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100 and My Cloud PR4100 firmware before 2.31.174 is affected by an authentication bypass vulnerability. The login_mgr.cgi file…
- CVE-2014-5876Sep 11, 2014risk 0.00cvss —epss 0.00
The WD My Cloud (aka com.wdc.wd2go) application 4.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.