CVE-2018-18472
published 2019-06-19CVE-2018-18472: Western Digital WD My Book Live and WD My Book Live Duo (all versions) have a root Remote Command Execution bug via shell metacharacters in the…
PriorityP188critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
30.28%
98.0th percentile
Western Digital WD My Book Live and WD My Book Live Duo (all versions) have a root Remote Command Execution bug via shell metacharacters in the /api/1.0/rest/language_configuration language parameter. It can be triggered by anyone who knows the IP address of the affected device, as exploited in the wild in June 2021 for factory reset commands,
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| westerndigital | wd_my_book_live_firmware | >= 2.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Check Point IPS signature available for detection of exploitation attempts targeting CVE-2018-18472. ↗
- →The vulnerability can be triggered by any remote attacker who knows the IP address of the affected device — no authentication required. Monitor for unauthenticated remote command execution attempts against WD My Book Live / My Book Live Duo devices exposed to the internet. ↗
- →Exploitation observed in the wild in June 2021 resulting in factory reset commands being issued, wiping all data on affected devices. Investigate unexpected factory resets or mass data loss on WD My Book Live devices as a potential indicator of exploitation. ↗
- ·Affected devices (WD My Book Live and My Book Live Duo, all versions) received their final firmware update in 2015 and are end-of-life; no patch is available from the vendor. The attack surface is limited to devices directly reachable from the internet. ↗
- ·CVE-2018-18472 (root RCE) is a distinct vulnerability from CVE-2021-35941 (unauthenticated factory reset); both were exploited in the June 2021 campaign but require separate detection and remediation considerations. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gjqh-4gc9-vchf: Western Digital WD My Book Live (all versions) has a root Remote Command Execution bug via shell metacharacters in the /api/1
ghsa_unreviewed·2022-05-24
CVE-2018-18472 [CRITICAL] CWE-78 GHSA-gjqh-4gc9-vchf: Western Digital WD My Book Live (all versions) has a root Remote Command Execution bug via shell metacharacters in the /api/1
Western Digital WD My Book Live (all versions) has a root Remote Command Execution bug via shell metacharacters in the /api/1.0/rest/language_configuration language parameter. It can be triggered by anyone who knows the IP address of the affected device.
GHSA
GHSA-mc72-rv83-h28w: Western Digital WD My Book Live (2
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2021-35941 [CRITICAL] CWE-287 GHSA-mc72-rv83-h28w: Western Digital WD My Book Live (2
Western Digital WD My Book Live (2.x and later) and WD My Book Live Duo (all versions) have an administrator API that can perform a system factory restore without authentication, as exploited in the wild in June 2021, a different vulnerability than CVE-2018-18472.
VulnCheck
Western Digital wd_my_book_live_firmware Missing Authentication for Critical Function
vulncheck·2021·CVSS 9.8
CVE-2021-35941 [CRITICAL] Western Digital wd_my_book_live_firmware Missing Authentication for Critical Function
Western Digital wd_my_book_live_firmware Missing Authentication for Critical Function
Western Digital WD My Book Live (2.x and later) and WD My Book Live Duo (all versions) have an administrator API that can perform a system factory restore without authentication, as exploited in the wild in June 2021, a different vulnerability than CVE-2018-18472.
Affected: Western Digital wd_my_book_live_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2021-35941; https://www.westerndigital.com/support/product-security/wdc-21008-recommended-security-measures-wd-mybooklive-wd-mybookliveduo
VulnCheck
Western Digital my_book_live_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2018·CVSS 9.8
CVE-2018-18472 [CRITICAL] Western Digital my_book_live_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Western Digital my_book_live_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Western Digital WD My Book Live and WD My Book Live Duo (all versions) have a root Remote Command Execution bug via shell metacharacters in the /api/1.0/rest/language_configuration language parameter. It can be triggered by anyone who knows the IP address of the affected device, as exploited in the wild in June 2021 for factory reset commands,
Affected: Western Digital my_book_live_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2018-18472; https://www.westerndigital.com/support/prod
No detection rules found.
No public exploits indexed.
Checkpoint
20th December – Threat Intelligence Report
blogs_checkpoint·2021-12-20·CVSS 10.0
CVE-2021-44228 [CRITICAL] 20th December – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 20th December – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 20th December, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Check Point Research has reported that an Iranian threat group commonly associated with the local regime, “Charming Kitten”, has been attempting to exploit the Log4j vulnerability against 7 Israeli targets in Government and business sectors.
Check Point IPS provides protection against this threat (Apache Log4j Remote C
Krebs
MyBook Users Urged to Unplug Devices from Internet
blogs_krebs·2021-06-25·CVSS 9.8
[CRITICAL] MyBook Users Urged to Unplug Devices from Internet
Hard drive giant Western Digital is urging users of its MyBook Live brand of network storage drives to disconnect them from the Internet, warning that malicious hackers are remotely wiping the drives using a critical flaw that can be triggered by anyone who knows the Internet address of an affected device.
Earlier this week, Bleeping Computer and Ars Technica pointed to a heated discussion thread on Western Digital’s user forum where many customers complained of finding their MyBook Live and MyBook Live Duo devices completely wiped of their data.
“Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability,” the company said in a statement June 24. “In some cases, this compromise
Krebs
MyBook Users Urged to Unplug Devices from Internet
blogs_krebs·2021-06-25·CVSS 9.8
[CRITICAL] MyBook Users Urged to Unplug Devices from Internet
Hard drive giant Western Digital is urging users of its MyBook Live brand of network storage drives to disconnect them from the Internet, warning that malicious hackers are remotely wiping the drives using a critical flaw that can be triggered by anyone who knows the Internet address of an affected device.
One of many similar complaints on Western Digital’s user forum.
Earlier this week, Bleeping Computer and Ars Technica pointed to a heated discussion thread on Western Digital’s user forum where many customers complained of finding their MyBook Live and MyBook Live Duo devices completely wiped of their data.
“Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability,” the com
https://community.wd.com/t/action-required-on-my-book-live-and-my-book-live-duo/268147https://www.westerndigital.com/support/productsecurity/wdc-21008-recommended-security-measures-wd-mybooklive-wd-mybookliveduohttps://www.wizcase.com/blog/hack-2018/https://community.wd.com/t/action-required-on-my-book-live-and-my-book-live-duo/268147https://www.westerndigital.com/support/productsecurity/wdc-21008-recommended-security-measures-wd-mybooklive-wd-mybookliveduohttps://www.wizcase.com/blog/hack-2018/
2019-06-19
Published
Exploited in the wild