CVE-2022-22990

HIGH

Westerndigital MY Cloud OS < 5.19.117 - Authentication Bypass

Title source: rule

Description

A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate privileges on the My Cloud devices. Addressed this vulnerability by changing access token validation logic and rewriting rule logic on PHP scripts.

References (3)

[Vendor Advisory] https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117

[Third Party Advisory, VDB Entry] https://www.zerodayinitiative.com/advisories/ZDI-22-076/

[Third Party Advisory, VDB Entry] https://www.zerodayinitiative.com/advisories/ZDI-22-347/

Scores

CVSS v3 7.8

EPSS 0.0171

EPSS Percentile 82.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Details

CWE

CWE-697 CWE-287

Status published

Products (1)

westerndigital/my_cloud_os < 5.19.117

Published Jan 13, 2022

Tracked Since Feb 18, 2026