CVE-2019-9951

CRITICAL

Western Digital - Unauthenticated File Upload

Title source: llm

Description

Western Digital My Cloud, My Cloud Mirror Gen2, My Cloud EX2 Ultra, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100 and My Cloud PR4100 firmware before 2.31.174 is affected by an unauthenticated file upload vulnerability. The page web/jquery/uploader/uploadify.php can be accessed without any credentials, and allows uploading arbitrary files to any location on the attached storage.

References (4)

Core 4

Core References

Release Notes, Third Party Advisory x_refsource_confirm

https://community.wd.com/t/new-release-my-cloud-firmware-versions-2-31-174-3-26-19/235932

Third Party Advisory x_refsource_confirm

https://support.wdc.com/downloads.aspx?g=2702&lang=en

Various Sources x_refsource_misc

https://bnbdr.github.io/posts/wd/

Various Sources x_refsource_misc

https://github.com/bnbdr/wd-rce/

View Writeup ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0096

EPSS Percentile 76.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (9)

western_digital/my_cloud_dl2100 < 2.31.174

western_digital/my_cloud_dl4100_firmware < 2.31.174

western_digital/my_cloud_ex2100_firmware < 2.31.174

western_digital/my_cloud_ex2_ultra_firmware < 2.31.174

western_digital/my_cloud_ex4100 < 2.31.174

western_digital/my_cloud_firmware < 2.31.174

western_digital/my_cloud_mirror_gen_2_firmware < 2.31.174

western_digital/my_cloud_pr2100_firmware < 2.31.174

western_digital/my_cloud_pr4100 < 2.31.174

Published Apr 24, 2019

Tracked Since Feb 18, 2026