cbcvebase.
CVE-2022-29844
published 2023-01-26

CVE-2022-29844: A vulnerability in the FTP service of Western Digital My Cloud OS 5 devices running firmware versions prior to 5.26.119 allows an attacker to read and write…

PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
36.41%
98.3th percentile
A vulnerability in the FTP service of Western Digital My Cloud OS 5 devices running firmware versions prior to 5.26.119 allows an attacker to read and write arbitrary files. This could lead to a full NAS compromise and would give remote execution capabilities to the attacker.

Affected

9 ranges
VendorProductVersion rangeFixed in
western_digitalmy_cloud>= My Cloud OS 5 < 5.26.1195.26.119
westerndigitalmy_cloud_dl2100_firmware< 5.26.1195.26.119
westerndigitalmy_cloud_dl4100_firmware< 5.26.1195.26.119
westerndigitalmy_cloud_ex2100_firmware< 5.26.1195.26.119
westerndigitalmy_cloud_ex2_ultra_firmware< 5.26.1195.26.119
westerndigitalmy_cloud_ex4100_firmware< 5.26.1195.26.119
westerndigitalmy_cloud_mirror_g2_firmware< 5.26.1195.26.119
westerndigitalmy_cloud_pr2100_firmware< 5.26.1195.26.119
westerndigitalmy_cloud_pr4100_firmware< 5.26.1195.26.119

Detection & IOCsextracted from sources · hover to see the quote

path/wd/usr/lib/libftp_allow.so
path/etc/NAS_CFG/ftp.xml
commandUSER <payload>
othershodan:http.favicon.hash:-1074357885
otherfofa:icon_hash=-1074357885
yara
words: ['WDMyCloud', 'Cloud_Connection_StatusID', 'my_cloud_os', 'WD Privacy Statement']
  • Exploit sends an FTP USER command with a username payload exceeding 2048 bytes to trigger a buffer overflow in douser(), overwriting the global 'loggedin' variable to bypass authentication without a password.
  • Arbitrary file read of /etc/NAS_CFG/ftp.xml via FTP RETR is a key reconnaissance step in the exploit chain; alert on unauthenticated or anomalous FTP RETR requests targeting this path.
  • FTP STOR command used for arbitrary file write (e.g., dropping a webshell/backdoor); must be preceded by a PORT command (active mode). Monitor for FTP PORT + STOR sequences from unauthenticated or anomalous sessions on WD My Cloud devices.
  • Detect WD My Cloud panel exposure by matching HTTP response body for strings 'WDMyCloud', 'Cloud_Connection_StatusID', 'my_cloud_os', or 'WD Privacy Statement' with HTTP 200 status.
  • The exploit targets the Pure-FTPd-based FTP service patched by Western Digital; the vulnerable firmware version is prior to 5.26.119. Confirm exposure by checking firmware version on My Cloud Pro Series PR4100 devices.
  • ·The authentication bypass leaves the FTP process running as root (no setuid() call), which affects ACL checks — root is not treated as 'admin' by Get_Share_Permission(), but Public shares (#@allaccount#) remain writable.
  • ·The exploit only works when the FTP service is activated on the device; if FTP is disabled, the attack surface does not exist.
  • ·The overflow payload must not contain NULL bytes (except the terminating one), which constrains the attacker's ability to place arbitrary data in the overwritten region.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.