CVE-2023-22815

MEDIUM

Western Digital My Cloud OS < 5.26.300 - Authenticated Remote Command Injection via CGI Files

Title source: llm

Description

Post-authentication remote command injection vulnerability in Western Digital My Cloud OS 5 devices that could allow an attacker to execute code in the context of the root user on vulnerable CGI files. This vulnerability can only be exploited over the network and the attacker must already have admin/root privileges to carry out the exploit. An authentication bypass is required for this exploit, thereby making it more complex. The attack may not require user interaction. Since an attacker must already be authenticated, the confidentiality impact is low while the integrity and availability impact is high. This issue affects My Cloud OS 5 devices: before 5.26.300.

References (1)

Core 1

Core References

Vendor Advisory

https://www.westerndigital.com/support/product-security/wdc-23010-my-cloud-firmware-version-5-26-300

Scores

CVSS v3 6.2

EPSS 0.0111

EPSS Percentile 61.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-77 CWE-78

Status published

Products (1)

westerndigital/my_cloud_os < 5.26.300

Published Jun 30, 2023

Tracked Since Feb 18, 2026