CVE-2023-22815 MEDIUM

CVE-2023-22815: Post-authentication remote command injection vulnerability on Western Digital My Cloud OS 5 devices

Vendor Western Digital
Product My Cloud OS 5
Weakness CWE-78
Published June 30, 2023
Last update November 6, 2024

CVSS base score

6.2/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H

What the vulnerability does

01Description

Post-authentication remote command injection vulnerability in Western Digital My Cloud OS 5 devices that could allow an attacker to execute code in the context of the root user on vulnerable CGI files. This vulnerability can only be exploited over the network and the attacker must already have admin/root privileges to carry out the exploit. An authentication bypass is required for this exploit, thereby making it more complex. The attack may not require user interaction. Since an attacker must already be authenticated, the confidentiality impact is low while the integrity and availability impact is high.  This issue affects My Cloud OS 5 devices: before 5.26.300.

Key dates

02Disclosure timeline

June 30, 2023 CVE published
November 6, 2024 Record updated