Western Digital fixes critical security vulnerabilities in My Cloud NAS systems


Level 37
Thread author
Top Poster
Feb 4, 2016
Western Digital is patching vulnerabilities in the My Cloud OS 3 firmware of the My Cloud EX2, My Cloud EX4 and My Cloud Mirror NAS systems that could allow attackers to gain full access to the devices.

The manufacturer describes only one of the critical vulnerabilities (server-side request forgery) in concrete terms, whereby attackers could use manipulated requests to establish connections to the local network, explore it and possibly penetrate further (CVE-2021-40438, CVSS 9.0, risk critical).

In the security advisory, Western Digital explains that the vulnerabilities are due to the Apache server used. The three other CVE entries CVE-2021-39275 (CVSS 9.8, critical), CVE-2021-34798 (CVSS 7.5, high) and CVE-2021-36160 (CVSS 7.5, high) describe further gaps. Attackers could use this to trigger a buffer overflow and possibly execute injected code. The two latter vulnerabilities could potentially cause attackers to crash the server.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.