CVE-2022-22994 HIGH

CVE-2022-22994: Insufficient Verification of Data Authenticity Remote Code Execution Vulnerability on Western Digital My Cloud devices.

Vendor Western Digital
Product My Cloud
Weakness CWE-345
Published January 28, 2022
Last update August 3, 2024

CVSS base score

8.8/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A remote code execution vulnerability was discovered on Western Digital My Cloud devices where an attacker could trick a NAS device into loading through an unsecured HTTP call. This was a result insufficient verification of calls to the device. The vulnerability was addressed by disabling checks for internet connectivity using HTTP.

Key dates

02Disclosure timeline

January 28, 2022 CVE published
August 3, 2024 Record updated