CVE-2019-16399

CRITICAL

Western Digital WD My Book World - Auth Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-16399. PoCs published by Noman Riffat.

AI-analyzed exploit summary This exploit leverages broken authentication in Western Digital My Book World II NAS to enable SSH access via a crafted POST request. The default SSH password 'welc0me' can then be used for remote command execution.

Description

Western Digital WD My Book World through II 1.02.12 suffers from Broken Authentication, which allows an attacker to access the /admin/ directory without credentials. An attacker can easily enable SSH from /admin/system_advanced.php?lang=en and login with the default root password welc0me.

Exploits (1)

exploitdb WORKING POC
by Noman Riffat · textwebappshardware
https://www.exploit-db.com/exploits/47399

This exploit leverages broken authentication in Western Digital My Book World II NAS to enable SSH access via a crafted POST request. The default SSH password 'welc0me' can then be used for remote command execution.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Western Digital My Book World II NAS <= 1.02.12
No auth needed
Prerequisites: Network access to the target device · SSH client to connect after enabling SSH
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.0708
EPSS Percentile 93.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-798
Status published
Products (1)
westerndigital/wd_my_book_firmware < 1.02.12
Published Sep 18, 2019
Tracked Since Feb 18, 2026