Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdiDiscovered by: Claroty Research - Vera Mens, Noam Moshe, Uri Katz, Sharon BrizinovZDI-23-1052
HistoryAug 09, 2023 - 12:00 a.m.

Western Digital MyCloud PR4100 Logger Class Command Injection Remote Code Execution Vulnerability

2023-08-0900:00:00
Discovered by: Claroty Research - Vera Mens, Noam Moshe, Uri Katz, Sharon Brizinov
www.zerodayinitiative.com
2
western digital mycloud pr4100
logger class
command injection
remote code execution
authentication
validation
exec call
root context
JSON

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of the Western Digital MyCloud PR4100 NAS device. Authentication is required to exploit this vulnerability. The specific flaw exists within the Logger class. The issue results from the lack of proper validation of a user-supplied string before using it to perform an exec call. An attacker can leverage this vulnerability to execute code in the context of root.

JSON