CVE-2020-28970

Name of the Vulnerable Software and Affected Versions Western Digital My Cloud OS 5 versions prior to 5.06.115

Description An issue was discovered that could allow an unauthenticated user to execute privileged commands on the device via a cookie, effectively bypassing NAS Admin authentication. This could be further exploited by an authenticated administrator using an upload endpoint to upload executable PHP scripts.

Recommendations For Western Digital My Cloud OS 5 versions prior to 5.06.115, update to version 5.06.115 or later to resolve the issue. As a temporary workaround, consider restricting access to the upload endpoint and limiting the execution of privileged commands until a patch is applied.