CVE-2018-17153: It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated a...

Description

It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the device. (Whenever an admin logs into My Cloud, a server-side session is created that is bound to the user's IP address. After the session is created, it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user's IP address.) It was found that it is possible for an unauthenticated attacker to create a valid session without a login. The network_mgr.cgi CGI module contains a command called "cgi_get_ipv6" that starts an admin session -- tied to the IP address of the user making the request -- if the additional parameter "flag" with the value "1" is provided. Subsequent invocation of commands that would normally require admin privileges now succeed if an attacker sets the username=admin cookie.

Metrics

EPSS Probability

86.59%

99.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-287

Affected Software

Vendor	Product	Versions
Western Digital	My Cloud Wdbctl0020hwt Firmware	< 2.30.196
Western Digital	My Cloud Pr4100	< 2.30.196
Western Digital	My Cloud Pr2100 Firmware	< 2.30.196
Western Digital	My Cloud Mirror Gen 2 Firmware	< 2.30.196
Western Digital	My Cloud Mirror Firmware	< 2.30.196
Western Digital	My Cloud Ex4100	< 2.30.196
Western Digital	My Cloud Ex4 Firmware	< 2.30.196
Western Digital	My Cloud Ex2100 Firmware	< 2.30.196
Western Digital	My Cloud Ex2 Ultra Firmware	< 2.30.196
Western Digital	My Cloud Ex2 Firmware	< 2.30.196
Western Digital	My Cloud Dl4100 Firmware	< 2.30.196
Western Digital	My Cloud Dl2100	< 2.30.196

References

http://packetstormsecurity.com/files/173802/Western-Digital-MyCloud-Unauthenticated-Command-Injection.html
http://www.securityfocus.com/bid/105359Third Party Advisory, VDB Entry
https://securify.nl/nl/advisory/SFY20180102/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges.htmlExploit, Third Party Advisory
https://support.wdc.com/knowledgebase/answer.aspx?ID=25952Third Party Advisory
http://packetstormsecurity.com/files/173802/Western-Digital-MyCloud-Unauthenticated-Command-Injection.html
http://www.securityfocus.com/bid/105359Third Party Advisory, VDB Entry
https://securify.nl/nl/advisory/SFY20180102/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges.htmlExploit, Third Party Advisory
https://support.wdc.com/knowledgebase/answer.aspx?ID=25952Third Party Advisory

Timeline

Published: Sep 18, 2018
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2018-17153?

It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the device. (Whenever an admin logs into My Cloud, a server-side session is created that is bound to the user's IP address. After the session is created, it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user's IP address.) It was found that it is possible for an unauthenticated attacker to create a valid session without a login. The network_mgr.cgi CGI module contains a command called "cgi_get_ipv6" that starts an admin session -- tied to the IP address of the user making the request -- if the additional parameter "flag" with the value "1" is provided. Subsequent invocation of commands that would normally require admin privileges now succeed if an attacker sets the username=admin cookie.

How severe is CVE-2018-17153?

Severity scoring for CVE-2018-17153 is pending analysis. The EPSS model estimates a 86.59% probability of exploitation in the next 30 days.

How do I fix CVE-2018-17153?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.