CVE-2018-9148

Name: CVE-2018-9148
Creator: NVD / NIST
Published: 2018-03-30T19:29:00.397+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 3.79%

Last modified Jun 17, 2026

CVE-2018-9148 is a vulnerability of currently unknown severity. Western Digital WD My Cloud v04.05.00-320 devices embed the session token (aka PHPSESSID) in filenames, which makes it easier for attackers to bypass authentication by listing a directory. NOTE: this can be exploited in conjunction with CVE-2018-7171 for remote authentication bypass within a product that uses My Cloud.. EPSS estimates a 3.79% chance of exploitation in the next 30 days.

Description

Western Digital WD My Cloud v04.05.00-320 devices embed the session token (aka PHPSESSID) in filenames, which makes it easier for attackers to bypass authentication by listing a directory. NOTE: this can be exploited in conjunction with CVE-2018-7171 for remote authentication bypass within a product that uses My Cloud.

Metrics

EPSS Probability

3.79%

88.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-287

Affected Software

Vendor	Product	Versions
Westerndigital	My Cloud Firmware	04.05.00-320

References

https://exploit-db.com/exploits/44350/Exploit, Third Party Advisory, VDB Entry
https://exploit-db.com/exploits/44350/Exploit, Third Party Advisory, VDB Entry

Timeline

Published: Mar 30, 2018
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2018-9148?

How severe is CVE-2018-9148?

Severity scoring for CVE-2018-9148 is pending analysis. The EPSS model estimates a 3.79% probability of exploitation in the next 30 days.

How do I fix CVE-2018-9148?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2018-9148?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST