Flaw in Western Digital My Cloud exposes the content to hackers

An authentication bypass vulnerability in Western Digital My Cloud NAS could allow hackers to access the content of the storage

Researchers at security firm Securify have discovered an elevation of privilege vulnerability in the Western Digital My Cloud platform that could be exploited by attackers to gain admin-level access to the device via an HTTP request.

The flaw, tracked as CVE-2018-17153, would allow an unauthenticated attacker with network access to the device to authenticate as an admin without providing a password.

The attacker could exploit the flaw to run commands, access the stored data, modify/copy them as well as wipe the NAS.

“It was discovered that the Western Digital My Cloud is affected by an authentication bypass vulnerability that allows an unauthenticated user to create an admin session that is tied to her IP address.” reads the report published by Securify.

“By exploiting this issue an unauthenticated attacker can run commands that would normally require admin privileges and gain complete control of the My Cloud device.”

The vulnerability resides in the process of creation of admin sessions implemented by the My Cloud devices that bound to the user’s IP address.

Once the session is created, it is possible to call the authenticated CGI modules by sending the cookie username=admin in the HTTP request. The CGI will check if a valid session is present and bound to the user’s IP address.

An attacker can send a CGI call to the device including a cookie containing the cookie username=admin.

“It was found that it is possible for an unauthenticated attacker to create a valid session without requiring to authenticate.” continues Securify.

“The network_mgr.cgi CGI module contains a command called cgi_get_ipv6 that starts an admin session that is tied to the IP address of the user making the request when invoked with the parameter flag equal to 1. Subsequent invocation of commands that would normally require admin privileges arenow authorized if an attacker sets the username=admin cookie.”

The experts published the following PoC code to exploit the issue:

POST /cgi-bin/network_mgr.cgi HTTP/1.1

Host: wdmycloud.local

Content-Type: application/x-www-form-urlencoded

Cookie: username=admin

Content-Length: 23



Securify reported the vulnerability to Western Digital in April, but it is still waiting for a response.

In February, experts from Trustwave disclosed two vulnerabilities in Western Digital My Cloud network storage devices that could be exploited by a local attacker to gain root access to the NAS devices.

In April, security experts at Trustwave discovered that Western Digital My Cloud EX2 storage devices were leaking files on a local network by default.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase