CVE-2016-10108
published 2017-01-03CVE-2016-10108: Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter…
PriorityP192critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
95.17%
99.9th percentile
Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter in the POST data.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| western_digital | mycloud_nas | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Western Digital google_analytics.php arg Parameter Command Injection Attempt (CVE-2016-10108)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:25; content:"/web/google_analytics.php"; http.cookie; content:"isAdmin|3d|1"; content:"fw_version|3d|"; fast_pattern; http.request_body; content:"arg|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.cve.org/CVERecord?id=CVE-2016-10108; reference:cve,2016-10108; classtype:attempted-admin; sid:2065989; rev:1; metadata:affected_product Western_Digital, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_12_02, cve CVE_2016_10108, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_12_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Detect POST requests to /web/google_analytics.php with the 'arg' parameter containing shell metacharacters (pipe, semicolon, backtick, newline, dollar sign) — the core injection vector for CVE-2016-10108.
- →Look for the combination of HTTP cookie fields 'isAdmin=1' and 'fw_version=' alongside a POST to /web/google_analytics.php as a high-confidence exploit indicator.
- →Subsequent requests after the auth bypass will carry the cookie 'username=admin'; monitor for unauthenticated sessions originating this cookie without a prior login flow.
- →The Nuclei template for CVE-2016-10108 uses DNS interaction (OOB) via ping in the username cookie field; monitor for outbound DNS/ICMP from WD MyCloud devices to unexpected external hosts.
- →Shodan/FOFA fingerprint for exposed WD MyCloud devices: favicon hash -1074357885. Use this to identify internet-facing targets.
- →Response body containing both 'uid=' (from id command output) and 'ganalytics' string in a 200 OK reply to /web/google_analytics.php confirms successful RCE.
- ·The command injection vector in CVE-2016-10108 may be exploitable without the authentication bypass (CVE-2018-17153) on firmware versions before 2.21.126; on 2.30.183 the auth bypass is required first. ↗
- ·The patch for CVE-2016-10108 did not remove the injection vector itself but only restricted unauthenticated access to it; the injection remains present in patched versions and is reachable via the auth bypass. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gx5g-w3r2-cxj2: Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2
ghsa_unreviewed·2022-05-17
CVE-2016-10108 [CRITICAL] CWE-77 GHSA-gx5g-w3r2-cxj2: Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2
Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter in the POST data.
VulnCheck
Western Digital mycloud_nas Improper Neutralization of Special Elements used in a Command ('Command Injection')
vulncheck·2016·CVSS 9.8
CVE-2016-10108 [CRITICAL] Western Digital mycloud_nas Improper Neutralization of Special Elements used in a Command ('Command Injection')
Western Digital mycloud_nas Improper Neutralization of Special Elements used in a Command ('Command Injection')
Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter in the POST data.
Affected: Western Digital mycloud_nas
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-02-07&host_type=src&vulnerability=cve-2016-10108; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-02-08&host_type=src&vulnerability=cve-2016-10108; https://dashboard.shad
Suricata
ET WEB_SPECIFIC_APPS Western Digital google_analytics.php arg Parameter Command Injection Attempt (CVE-2016-10108)
suricata·2025-12-02·CVSS 9.8
CVE-2016-10108 [CRITICAL] ET WEB_SPECIFIC_APPS Western Digital google_analytics.php arg Parameter Command Injection Attempt (CVE-2016-10108)
ET WEB_SPECIFIC_APPS Western Digital google_analytics.php arg Parameter Command Injection Attempt (CVE-2016-10108)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Western Digital google_analytics.php arg Parameter Command Injection Attempt (CVE-2016-10108)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:25; content:"/web/google_analytics.php"; http.cookie; content:"isAdmin|3d|1"; content:"fw_version|3d|"; fast_pattern; http.request_body; content:"arg|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.cve.org/CVERecord?id=CVE-2016-10108; reference:cve,2016-10108; classtype:attempted-admin; sid:2065989; rev:1; metadata:affected_product Western_Digital, attack_target Netwo
Nuclei
Western Digital MyCloud NAS - Authentication Bypass
nuclei·CVSS 9.8
CVE-2018-17153 [CRITICAL] Western Digital MyCloud NAS - Authentication Bypass
Western Digital MyCloud NAS - Authentication Bypass
It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the device. (Whenever an admin logs into My Cloud, a server-side session is created that is bound to the user's IP address. After the session is created, it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user's IP address.) It was found that it is possible for an unauthenticated attacker to create a valid session without
Nuclei
Western Digital MyCloud NAS - Command Injection
nuclei·CVSS 9.8
CVE-2016-10108 [CRITICAL] Western Digital MyCloud NAS - Command Injection
Western Digital MyCloud NAS - Command Injection
Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter in the POST data.
Template:
id: CVE-2016-10108
info:
name: Western Digital MyCloud NAS - Command Injection
author: DhiyaneshDk
severity: critical
description: |
Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter in the POST data.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access, data loss, and potential compromise of the entire network.
remediation: |
Apply the latest firmware update provided by Western Digital to patch the vulnerability
Metasploit
Western Digital MyCloud unauthenticated command injection
metasploit·CVSS 9.8
CVE-2018-17153 [CRITICAL] Western Digital MyCloud unauthenticated command injection
Western Digital MyCloud unauthenticated command injection
This module exploits authentication bypass (CVE-2018-17153) and command injection (CVE-2016-10108) vulnerabilities in Western Digital MyCloud before 2.30.196 in order to achieve unauthenticated remote code execution as the root user. The module first performs a check to see if the target is WD MyCloud. If so, it attempts to trigger an authentication bypass (CVE-2018-17153) via a crafted GET request to /cgi-bin/network_mgr.cgi. If the server responds as expected, the module assesses the vulnerability status by attempting to exploit a commend injection vulnerability (CVE-2016-10108) in order to print a random string via the echo command. This is done via a crafted POST request to /web/google_analytics.php. If the server is vulnerable
Greynoiseio
Coordinated Cloud-Based Scanning Operation Targets 75 Known Exposure Points in One Day
blogs_greynoiseio·2025-05-27
Coordinated Cloud-Based Scanning Operation Targets 75 Known Exposure Points in One Day
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
NoiseLetter March 2025
blogs_greynoiseio
NoiseLetter March 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/173802/Western-Digital-MyCloud-Unauthenticated-Command-Injection.htmlhttp://www.securityfocus.com/bid/95200https://www.stevencampbell.info/2016/12/command-injection-in-western-digital-mycloud-nas/http://packetstormsecurity.com/files/173802/Western-Digital-MyCloud-Unauthenticated-Command-Injection.htmlhttp://www.securityfocus.com/bid/95200https://www.stevencampbell.info/2016/12/command-injection-in-western-digital-mycloud-nas/
2017-01-03
Published
Exploited in the wild