cbcvebase.
CVE-2017-17560
published 2017-12-12

CVE-2017-17560: An issue was discovered on Western Digital MyCloud PR4100 2.30.172 devices. The web administration component, /web/jquery/uploader/multi_uploadify.php…

PriorityP190critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
73.40%
99.4th percentile
An issue was discovered on Western Digital MyCloud PR4100 2.30.172 devices. The web administration component, /web/jquery/uploader/multi_uploadify.php, provides multipart upload functionality that is accessible without authentication and can be used to place a file anywhere on the device's file system. This allows an attacker the ability to upload a PHP shell onto the device and obtain arbitrary code execution as root.

Affected

1 ranges
VendorProductVersion rangeFixed in
westerndigitalmy_cloud_pr4100_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/web/jquery/uploader/multi_uploadify.php
path/var/www
filename.*.php (random alphanumeric, dot-prefixed PHP shell)
url/web/jquery/uploader/multi_uploadify.php?status=1
  • Detect unauthenticated HTTP POST requests to /web/jquery/uploader/multi_uploadify.php with a multipart/form-data body containing a PHP file upload (Filedata[] field) and a 'folder' GET parameter pointing to a web-accessible path such as /var/www.
  • A 302 redirect response from /web/jquery/uploader/multi_uploadify.php with a Location header matching '?status=1' indicates a successful (vulnerable) file upload; monitor for this response pattern.
  • Monitor for creation of dot-prefixed .php files (e.g., .<random>.php) in /var/www on Western Digital MyCloud devices, which is the pattern used by the exploit to drop a PHP shell.
  • A subsequent GET request to the uploaded PHP filename at the web root (e.g., GET /.<random>.php) immediately after a POST to multi_uploadify.php indicates payload execution; correlate these two requests in HTTP logs.
  • Any unauthenticated access (no session cookie/token) to /web/jquery/uploader/multi_uploadify.php should be treated as suspicious; the endpoint requires no authentication.
  • ·The exploit targets Western Digital MyCloud PR4100 firmware version 2.30.172 specifically; other firmware versions may or may not be vulnerable.
  • ·The Metasploit module uses ARCH_PHP and platform 'php', meaning the uploaded payload is a PHP script executed server-side as root — detection should focus on PHP file creation and execution, not binary payloads.
  • ·The module registers the uploaded PHP file for cleanup after execution, so the malicious file may be short-lived on disk; real-time file integrity monitoring of /var/www is recommended rather than relying on post-incident forensics.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.