Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdiClaroty Research - Vera Mens, Noam Moshe, Uri Katz, Sharon BrizinovZDI-23-1051
HistoryAug 09, 2023 - 12:00 a.m.

Western Digital MyCloud PR4100 CGI API Command Injection Remote Code Execution Vulnerability

2023-08-0900:00:00
Claroty Research - Vera Mens, Noam Moshe, Uri Katz, Sharon Brizinov
www.zerodayinitiative.com
5
command injection
remote code execution
cgi api
authentication
system call
root
JSON

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of the Western Digital MyCloud PR4100 NAS device. Authentication is required to exploit this vulnerability. The specific flaw exists within the CGI API. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root.

JSON