CVE-2022-36331 CRITICAL

CVE-2022-36331: Impersonation attack causing an Authentication Bypass on Western Digital devices

Vendor Western Digital
Product My Cloud OS 5
Weakness CWE-290
Published June 12, 2023
Last update January 3, 2025

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Western Digital My Cloud, My Cloud Home, My Cloud Home Duo, and SanDisk ibi devices were vulnerable to an impersonation attack that could allow an unauthenticated attacker to gain access to user data. This issue affects My Cloud OS 5 devices: before 5.25.132; My Cloud Home and My Cloud Home Duo: before 8.13.1-102; SanDisk ibi: before 8.13.1-102.

Key dates

02Disclosure timeline

June 12, 2023 CVE published
January 3, 2025 Record updated