cbcvebase.
CVE-2016-10108
published 2017-01-03

CVE-2016-10108: Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter…

PriorityP192critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
95.17%
99.9th percentile
Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter in the POST data.

Affected

1 ranges
VendorProductVersion rangeFixed in
western_digitalmycloud_nas

Detection & IOCsextracted from sources · hover to see the quote

url/web/google_analytics.php
path/web/google_analytics.php
cookieisAdmin=1; username=admin
cookieusername=admin
commandcmd=set&opt=cloud-device-num&arg=0|echo%20`id`%20%23
cookieisAdmin=1; username=admin|echo%20`ping -c 3 {{interactsh-url}}`; local_login=1
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Western Digital google_analytics.php arg Parameter Command Injection Attempt (CVE-2016-10108)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:25; content:"/web/google_analytics.php"; http.cookie; content:"isAdmin|3d|1"; content:"fw_version|3d|"; fast_pattern; http.request_body; content:"arg|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.cve.org/CVERecord?id=CVE-2016-10108; reference:cve,2016-10108; classtype:attempted-admin; sid:2065989; rev:1; metadata:affected_product Western_Digital, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_12_02, cve CVE_2016_10108, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_12_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Detect POST requests to /web/google_analytics.php with the 'arg' parameter containing shell metacharacters (pipe, semicolon, backtick, newline, dollar sign) — the core injection vector for CVE-2016-10108.
  • Look for the combination of HTTP cookie fields 'isAdmin=1' and 'fw_version=' alongside a POST to /web/google_analytics.php as a high-confidence exploit indicator.
  • Subsequent requests after the auth bypass will carry the cookie 'username=admin'; monitor for unauthenticated sessions originating this cookie without a prior login flow.
  • The Nuclei template for CVE-2016-10108 uses DNS interaction (OOB) via ping in the username cookie field; monitor for outbound DNS/ICMP from WD MyCloud devices to unexpected external hosts.
  • Shodan/FOFA fingerprint for exposed WD MyCloud devices: favicon hash -1074357885. Use this to identify internet-facing targets.
  • Response body containing both 'uid=' (from id command output) and 'ganalytics' string in a 200 OK reply to /web/google_analytics.php confirms successful RCE.
  • ·The command injection vector in CVE-2016-10108 may be exploitable without the authentication bypass (CVE-2018-17153) on firmware versions before 2.21.126; on 2.30.183 the auth bypass is required first.
  • ·The patch for CVE-2016-10108 did not remove the injection vector itself but only restricted unauthenticated access to it; the injection remains present in patched versions and is reachable via the auth bypass.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.