Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdiDiscovered by: Claroty Research - Vera Mens, Noam Moshe, Uri Katz, Sharon BrizinovZDI-23-1053
HistoryAug 09, 2023 - 12:00 a.m.

Western Digital MyCloud PR4100 REST SDK Use of Potentially Dangerous Function Remote Code Execution Vulnerability

2023-08-0900:00:00
Discovered by: Claroty Research - Vera Mens, Noam Moshe, Uri Katz, Sharon Brizinov
www.zerodayinitiative.com
2
western digital
mycloud pr4100
vulnerability
remote code execution
authentication
JSON

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of the Western Digital MyCloud PR4100 NAS device. Authentication is required to exploit this vulnerability. The specific flaw exists within the REST SDK. The issue results from the lack of proper validation of a user-supplied string before passing it to the β€œcall_user_function” inbuilt function. An attacker can leverage this vulnerability to execute code in the context of root.

JSON