CVE-2022-36331

CRITICAL

Western Digital My Cloud <5.25.132, <8.13.1-102 - Info Disclosure

Title source: llm

Description

Western Digital My Cloud, My Cloud Home, My Cloud Home Duo, and SanDisk ibi devices were vulnerable to an impersonation attack that could allow an unauthenticated attacker to gain access to user data. This issue affects My Cloud OS 5 devices: before 5.25.132; My Cloud Home and My Cloud Home Duo: before 8.13.1-102; SanDisk ibi: before 8.13.1-102.

References (2)

Core 2

Core References

Broken Link

https://https://www.westerndigital.com/support/product-security/wdc-22020-my-cloud-os-5-my-cloud-home-ibi-firmware-update

Vendor Advisory

https://www.westerndigital.com/support/product-security/wdc-22020-my-cloud-os-5-my-cloud-home-ibi-firmware-update

Scores

CVSS v3 10.0

EPSS 0.0059

EPSS Percentile 43.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-290

Status published

Products (12)

westerndigital/my_cloud_dl2100_firmware < 5.25.132

westerndigital/my_cloud_dl4100_firmware < 5.25.132

westerndigital/my_cloud_ex2100_firmware < 5.25.132

westerndigital/my_cloud_ex2_ultra_firmware < 5.25.132

westerndigital/my_cloud_ex4100_firmware < 5.25.132

westerndigital/my_cloud_firmware < 5.25.132

westerndigital/my_cloud_home_duo_firmware < 8.13.1-102

westerndigital/my_cloud_home_firmware < 8.13.1-102

westerndigital/my_cloud_mirror_g2_firmware < 5.25.132

westerndigital/my_cloud_pr2100_firmware < 5.25.132

... and 2 more

Published Jun 12, 2023

Tracked Since Feb 18, 2026