CVE-2016-10108 : Unauthenticated Remote Command injection as root occurs in the Western Digital M

Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter in the POST data.

Published 2017-01-03 06:59:00

Updated 2025-04-12 10:46:41

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2016-10108

Western Digital » Mycloud Nas » Version: 2.11.142
cpe:2.3:a:western_digital:mycloud_nas:2.11.142:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2016-10108

EPSS FAQ

91.16%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 100 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2016-10108

Western Digital MyCloud unauthenticated command injection

Disclosure Date: 2016-12-14

First seen: 2023-09-11

exploit/linux/http/wd_mycloud_unauthenticated_cmd_injection

This module exploits authentication bypass (CVE-2018-17153) and command injection (CVE-2016-10108) vulnerabilities in Western Digital MyCloud before 2.30.196 in order to achieve unauthenticated remote code execution as the root user. The module fir

More information

CVSS scores for CVE-2016-10108

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
10.0	HIGH	AV:N/AC:L/Au:N/C:C/I:C/A:C	10.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
9.8	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2016-10108

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Assigned by: nvd@nist.gov (Primary)

Vendor statements for CVE-2016-10108

Western Digital 2017-01-09

This was resolved via My Cloud product firmware update 2.11.157 for the My Cloud EX2, EX4, and Mirror (Gen 1) models, and My Cloud product firmware update 2.21.126 for all other affected My Cloud models (My Cloud, PR 4100, PR2100, DL4100, DL2100, EX4100, EX2100, EX2 Ultra models). The firmware updates were made available December 20, 2016. The product firmware updates are available through the Update Firmware option on the My Cloud device itself or from the specific My Cloud product model’s support page at: http://support.wdc.com/downloads.aspx?g=904&lang=en#downloads .

References for CVE-2016-10108

http://www.securityfocus.com/bid/95200

Western Digital MyCloud NAS CVE-2016-10108 Remote Command Injection Vulnerability
https://www.stevencampbell.info/2016/12/command-injection-in-western-digital-mycloud-nas/

404 - Page not found – Steve Campbell – Security Consultant and Penetration Tester
Exploit;Third Party Advisory

CVEs referencing this url
http://packetstormsecurity.com/files/173802/Western-Digital-MyCloud-Unauthenticated-Command-Injection.html

Western Digital MyCloud Unauthenticated Command Injection ≈ Packet Storm

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2016-10108