VYPR

Wd My Cloud

by Westerndigital

CVEs (20)

  • CVE-2018-17153CriSep 18, 2018
    risk 0.74cvss 9.8epss 0.87

    It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining…

  • CVE-2018-9148CriMar 30, 2018
    risk 0.64cvss 9.8epss 0.04

    Western Digital WD My Cloud v04.05.00-320 devices embed the session token (aka PHPSESSID) in filenames, which makes it easier for attackers to bypass authentication by listing a directory. NOTE: this can be exploited in conjunction with CVE-2018-7171 for remote authentication…

  • CVE-2025-30247CriSep 29, 2025
    risk 0.61cvss epss 0.01

    An OS command injection vulnerability in user interface in Western Digital My Cloud firmware prior to 5.31.108 on NAS platforms allows remote attackers to execute arbitrary system commands via a specially crafted HTTP POST.

  • CVE-2024-22170CriSep 27, 2024
    risk 0.60cvss epss 0.00

    Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Western Digital My Cloud ddns-start on Linux allows Overflow Buffers.This issue affects My Cloud: before 5.29.102.

  • CVE-2024-22168MedJun 24, 2024
    risk 0.38cvss epss 0.00

    A Cross-Site Scripting (XSS) vulnerability on the My Cloud, My Cloud Home, SanDisk ibi, and WD Cloud web apps was found which could allow an attacker to redirect the user to a crafted domain and reset their credentials, or to execute arbitrary client-side code in the user’s…

  • CVE-2020-25765Oct 27, 2020
    risk 0.01cvss epss 0.06

    Addressed remote code execution vulnerability in reg_device.php due to insufficient validation of user input.in Western Digital My Cloud Devices prior to 5.4.1140.

  • CVE-2021-36225Feb 6, 2023
    risk 0.00cvss epss 0.01

    Western Digital My Cloud devices before OS5 allow REST API access by low-privileged accounts, as demonstrated by API commands for firmware uploads and installation.

  • CVE-2021-36224Feb 6, 2023
    risk 0.00cvss epss 0.01

    Western Digital My Cloud devices before OS5 have a nobody account with a blank password.

  • CVE-2022-29838Dec 9, 2022
    risk 0.00cvss epss 0.00

    Improper Authentication vulnerability in the encrypted volumes and auto mount features of Western Digital My Cloud devices allows insecure direct access to the drive information in the case of a device reset. This issue affects: Western Digital My Cloud My Cloud versions prior…

  • CVE-2022-29839Dec 9, 2022
    risk 0.00cvss epss 0.00

    Insufficiently Protected Credentials vulnerability in the remote backups application on Western Digital My Cloud devices that could allow an attacker who has gained access to a relevant endpoint to use that information to access protected data. This issue affects: Western…

  • CVE-2022-22999Jul 25, 2022
    risk 0.00cvss epss 0.00

    Western Digital My Cloud devices are vulnerable to a cross side scripting vulnerability that can allow a malicious user with elevated privileges access to drives being backed up to construct and inject JavaScript payloads into an authenticated user's browser. As a result, it may…

  • CVE-2022-22994Jan 28, 2022
    risk 0.00cvss epss 0.02

    A remote code execution vulnerability was discovered on Western Digital My Cloud devices where an attacker could trick a NAS device into loading through an unsecured HTTP call. This was a result insufficient verification of calls to the device. The vulnerability was addressed by…

  • CVE-2022-22993Jan 28, 2022
    risk 0.00cvss epss 0.01

    A limited SSRF vulnerability was discovered on Western Digital My Cloud devices that could allow an attacker to impersonate a server and reach any page on the server by bypassing access controls. The vulnerability was addressed by creating a whitelist for valid parameters.

  • CVE-2022-22990Jan 13, 2022
    risk 0.00cvss epss 0.02

    A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate privileges on the My Cloud devices. Addressed this vulnerability by changing access token validation logic and rewriting rule logic on PHP…

  • CVE-2020-27160Oct 27, 2020
    risk 0.00cvss epss 0.05

    Addressed remote code execution vulnerability in AvailableApps.php that allowed escalation of privileges in Western Digital My Cloud NAS devices prior to 5.04.114 (issue 3 of 3).

  • CVE-2020-12830Oct 27, 2020
    risk 0.00cvss epss 0.03

    Addressed multiple stack buffer overflow vulnerabilities that could allow an attacker to carry out escalation of privileges through unauthorized remote code execution in Western Digital My Cloud devices before 5.04.114.

  • CVE-2019-9949May 23, 2019
    risk 0.00cvss epss 0.03

    Western Digital My Cloud Cloud, Mirror Gen2, EX2 Ultra, EX2100, EX4100, DL2100, DL4100, PR2100 and PR4100 before firmware 2.31.183 are affected by a code execution (as root, starting from a low-privilege user session) vulnerability. The cgi-bin/webfile_mgr.cgi file allows…

  • CVE-2019-9951Apr 24, 2019
    risk 0.00cvss epss 0.02

    Western Digital My Cloud, My Cloud Mirror Gen2, My Cloud EX2 Ultra, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100 and My Cloud PR4100 firmware before 2.31.174 is affected by an unauthenticated file upload vulnerability. The page…

  • CVE-2019-9950Apr 24, 2019
    risk 0.00cvss epss 0.02

    Western Digital My Cloud, My Cloud Mirror Gen2, My Cloud EX2 Ultra, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100 and My Cloud PR4100 firmware before 2.31.174 is affected by an authentication bypass vulnerability. The login_mgr.cgi file…

  • CVE-2014-5876Sep 11, 2014
    risk 0.00cvss epss 0.00

    The WD My Cloud (aka com.wdc.wd2go) application 4.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.