CVE-2021-35941
HIGH EXPLOITED IN THE WILDWestern Digital WD My Book Live - Auth Bypass
Title source: llmExploitation Summary
CVE-2021-35941 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io).
Description
Western Digital WD My Book Live (2.x and later) and WD My Book Live Duo (all versions) have an administrator API that can perform a system factory restore without authentication, as exploited in the wild in June 2021, a different vulnerability than CVE-2018-18472.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://www.westerndigital.com/support/productsecurity/wdc-21008-recommended-security-measures-wd-mybooklive-wd-mybookliveduo
Exploit, Third Party Advisory x_refsource_misc
https://arstechnica.com/gadgets/2021/06/hackers-exploited-0-day-not-2018-bug-to-mass-wipe-my-book-live-devices/
Scores
CVSS v3
7.5
EPSS
0.1271
EPSS Percentile
95.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
VulnCheck KEV
2021-06-29
InTheWild.io
2021-07-06
CWE
CWE-306
Status
published
Products (2)
westerndigital/wd_my_book_live_duo_firmware
westerndigital/wd_my_book_live_firmware
2.0
Published
Jun 29, 2021
Tracked Since
Feb 18, 2026