CVE-2021-36225

Name of the Vulnerable Software and Affected Versions Western Digital My Cloud devices before OS5

Description The issue allows REST API access by low-privileged accounts, as demonstrated by API commands for firmware uploads and installation. This can potentially lead to the execution of arbitrary code by a remote attacker. The vulnerability is related to the implementation of the Western Digital MyCloud PR4100 network storage device's software interface, which is associated with unrestricted uploads of dangerous file types.

Recommendations For Western Digital My Cloud devices before OS5, consider disabling REST API access for low-privileged accounts until a patch is available. Restrict access to API commands for firmware uploads and installation to minimize the risk of exploitation. Avoid using the API for firmware updates until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.