CVE-2022-22990
published 2022-01-13CVE-2022-22990: A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate privileges on the My…
PriorityP355high8.8CVSS 3.1
AVAACLPRNUINSUCHIHAH
EPSS
2.12%
79.6th percentile
A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate privileges on the My Cloud devices. Addressed this vulnerability by changing access token validation logic and rewriting rule logic on PHP scripts.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| western_digital | my_cloud | >= My Cloud OS 5 < 5.19.117 | 5.19.117 |
| westerndigital | my_cloud_os | < 5.19.117 | 5.19.117 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.08.3HIGHAV:A/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117https://www.zerodayinitiative.com/advisories/ZDI-22-076/https://www.zerodayinitiative.com/advisories/ZDI-22-347/https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117https://www.zerodayinitiative.com/advisories/ZDI-22-076/https://www.zerodayinitiative.com/advisories/ZDI-22-347/
2022-01-13
Published