CVE-2023-22815

Name of the Vulnerable Software and Affected Versions Western Digital My Cloud OS 5 versions prior to 5.26.300

Description The issue is related to a post-authentication remote command injection vulnerability in Western Digital My Cloud OS 5 devices. This could allow an attacker to execute code in the context of the root user on vulnerable CGI files. The vulnerability can only be exploited over the network and requires the attacker to already have admin/root privileges. An authentication bypass is necessary for this exploit, making it more complex. The attack may not require user interaction. Given that an attacker must already be authenticated, the confidentiality impact is low, while the integrity and availability impact is high.

Recommendations For Western Digital My Cloud OS 5 versions prior to 5.26.300, update to version 5.26.300 or later to resolve the issue. As a temporary workaround, consider restricting access to vulnerable CGI files until a patch is applied. Additionally, ensure that admin/root privileges are tightly controlled to minimize the risk of exploitation.