VYPR
Vendor

Westerndigital

Products
30
CVEs
82
Across products
101
Status
Private

Products

30

Recent CVEs

82
View all 82 CVEs →
  • CVE-2018-17153CriSep 18, 2018
    risk 0.74cvss 9.8epss 0.87

    It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining…

  • CVE-2016-10108CriJan 3, 2017
    risk 0.74cvss 9.8epss 0.95

    Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter in the POST data.

  • CVE-2017-17560CriDec 12, 2017
    risk 0.73cvss 9.8epss 0.73

    An issue was discovered on Western Digital MyCloud PR4100 2.30.172 devices. The web administration component, /web/jquery/uploader/multi_uploadify.php, provides multipart upload functionality that is accessible without authentication and can be used to place a file anywhere on…

  • CVE-2016-10107CriJan 3, 2017
    risk 0.65cvss 9.8epss 0.11

    Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 index.php page via a modified Cookie header.

  • CVE-2018-1151CriJun 12, 2018
    risk 0.64cvss 9.8epss 0.08

    The web server on Western Digital TV Media Player 1.03.07 and TV Live Hub 3.12.13 allow unauthenticated remote attackers to execute arbitrary code or cause denial of service via crafted HTTP requests to toServerValue.cgi.

  • CVE-2018-9148CriMar 30, 2018
    risk 0.64cvss 9.8epss 0.04

    Western Digital WD My Cloud v04.05.00-320 devices embed the session token (aka PHPSESSID) in filenames, which makes it easier for attackers to bypass authentication by listing a directory. NOTE: this can be exploited in conjunction with CVE-2018-7171 for remote authentication…

  • CVE-2025-30247CriSep 29, 2025
    risk 0.61cvss epss 0.01

    An OS command injection vulnerability in user interface in Western Digital My Cloud firmware prior to 5.31.108 on NAS platforms allows remote attackers to execute arbitrary system commands via a specially crafted HTTP POST.

  • CVE-2024-22170CriSep 27, 2024
    risk 0.60cvss epss 0.00

    Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Western Digital My Cloud ddns-start on Linux allows Overflow Buffers.This issue affects My Cloud: before 5.29.102.

  • CVE-2024-22167HigMar 13, 2024
    risk 0.51cvss 7.9epss 0.00

    A potential DLL hijacking vulnerability in the SanDisk PrivateAccess application for Windows that could lead to arbitrary code execution in the context of the system user. This vulnerability is only exploitable locally if an attacker has access to a copy of the user's vault or…

  • CVE-2025-57699MedAug 22, 2025
    risk 0.44cvss 6.7epss 0.00

    Western Digital Kitfox for Windows provided by Western Digital Corporation registers a Windows service with an unquoted file path. A user with the write permission on the root directory of the system drive may execute arbitrary code with the SYSTEM privilege.

  • CVE-2020-13799MedNov 18, 2020
    risk 0.44cvss 6.8epss 0.00

    Western Digital has identified a security vulnerability in the Replay Protected Memory Block (RPMB) protocol as specified in multiple standards for storage device interfaces, including all versions of eMMC, UFS, and NVMe. The RPMB protocol is specified by industry standards…

  • CVE-2024-22168MedJun 24, 2024
    risk 0.38cvss epss 0.00

    A Cross-Site Scripting (XSS) vulnerability on the My Cloud, My Cloud Home, SanDisk ibi, and WD Cloud web apps was found which could allow an attacker to redirect the user to a crafted domain and reset their credentials, or to execute arbitrary client-side code in the user’s…

  • CVE-2015-7709Oct 5, 2015
    risk 0.09cvss epss 0.79

    The arkeiad daemon in the Arkeia Backup Agent in Western Digital Arkeia 11.0.12 and earlier allows remote attackers to bypass authentication and execute arbitrary commands via a series of crafted requests involving the ARKFS_EXEC_CMD operation.

  • CVE-2022-29844Jan 25, 2023
    risk 0.04cvss epss 0.36

    A vulnerability in the FTP service of Western Digital My Cloud OS 5 devices running firmware versions prior to 5.26.119 allows an attacker to read and write arbitrary files. This could lead to a full NAS compromise and would give remote execution capabilities to the attacker.

  • CVE-2019-16399Sep 18, 2019
    risk 0.04cvss epss 0.07

    Western Digital WD My Book World through II 1.02.12 suffers from Broken Authentication, which allows an attacker to access the /admin/ directory without credentials. An attacker can easily enable SSH from /admin/system_advanced.php?lang=en and login with the default root…

  • CVE-2014-2846Apr 28, 2014
    risk 0.04cvss epss 0.09

    Directory traversal vulnerability in opt/arkeia/wui/htdocs/index.php in the WD Arkeia virtual appliance (AVA) with firmware before 10.2.9 allows remote attackers to read arbitrary files and execute arbitrary PHP code via a ..././ (dot dot dot slash dot slash) in the lang Cookie…

  • CVE-2013-5006Jul 31, 2013
    risk 0.03cvss epss 0.05

    main_internet.php on the Western Digital My Net N600 and N750 with firmware 1.03.12 and 1.04.16, and the N900 and N900C with firmware 1.05.12, 1.06.18, and 1.06.28, allows remote attackers to discover the cleartext administrative password by reading the "var pass=" line within…

  • CVE-2020-27744Oct 29, 2020
    risk 0.01cvss epss 0.06

    An issue was discovered on Western Digital My Cloud NAS devices before 5.04.114. They allow remote code execution with resultant escalation of privileges.

  • CVE-2020-25765Oct 27, 2020
    risk 0.01cvss epss 0.06

    Addressed remote code execution vulnerability in reg_device.php due to insufficient validation of user input.in Western Digital My Cloud Devices prior to 5.4.1140.

  • CVE-2020-27159Oct 27, 2020
    risk 0.01cvss epss 0.06

    Addressed remote code execution vulnerability in DsdkProxy.php due to insufficient sanitization and insufficient validation of user input in Western Digital My Cloud NAS devices prior to 5.04.114