CVE-2021-36225

Published: Feb 6, 2023Modified: Mar 26, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Western Digital My Cloud devices before OS5 allow REST API access by low-privileged accounts, as demonstrated by API commands for firmware uploads and installation.

Affected (1)

Products: Westerndigital: My Cloud Os

1 product

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Westerndigital My Cloud Os	Before 5.02.104

Running on/with	Platform Versions
Westerndigital My Cloud Pr4100	All versions

Related CWEs

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (6)

https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2020/weekend_destroyer/weekend_destroyer.md

Source: cve@mitre.org

ExploitPatchThird Party Advisory

https://krebsonsecurity.com/2021/07/another-0-day-looms-for-many-western-digital-users/

Source: cve@mitre.org

ExploitPatchThird Party Advisory

https://www.youtube.com/watch?v=vsg9YgvGBec

Source: cve@mitre.org

ExploitPatchThird Party Advisory

https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2020/weekend_destroyer/weekend_destroyer.md

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

https://krebsonsecurity.com/2021/07/another-0-day-looms-for-many-western-digital-users/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

https://www.youtube.com/watch?v=vsg9YgvGBec

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

Timeline

No history available yet.