CVE-2020-28970 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2020-28970?

CVE-2020-28970 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to bypass authentication on Western Digital My Cloud OS 5 devices and execute privileged commands. Attackers can then upload and execute arbitrary PHP scripts, potentially gaining full control of affected NAS devices. All users of Western Digital My Cloud OS 5 devices before version 5.06.115 are affected.

📋 TL;DR

This vulnerability allows unauthenticated attackers to bypass authentication on Western Digital My Cloud OS 5 devices and execute privileged commands. Attackers can then upload and execute arbitrary PHP scripts, potentially gaining full control of affected NAS devices. All users of Western Digital My Cloud OS 5 devices before version 5.06.115 are affected.

💻 Affected Systems

Products:

Western Digital My Cloud OS 5 devices

Versions: All versions before 5.06.115

Operating Systems: My Cloud OS 5

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all Western Digital My Cloud devices running OS 5 firmware before the patched version.

📦 What is this software?

My Cloud Os 5 by Westerndigital

View all CVEs affecting My Cloud Os 5 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the NAS device leading to data theft, ransomware deployment, lateral movement to other network devices, and persistent backdoor installation.

🟠

Likely Case

Unauthorized access to sensitive files, installation of malware or cryptocurrency miners, and use of the device as a pivot point for attacking other network resources.

🟢

If Mitigated

Limited impact if device is isolated from internet and internal networks, with strict network segmentation and monitoring in place.

🌐 Internet-Facing: HIGH - Directly exploitable from the internet without authentication, allowing remote attackers to gain full control.

🏢 Internal Only: HIGH - Even internally, this provides unauthenticated attackers with administrative access to the device.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted cookies to bypass authentication, then using the upload endpoint to execute arbitrary PHP code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.06.115

Vendor Advisory: https://www.westerndigital.com/support/productsecurity/wdc-20009-os5-firmware-5-06-115

Restart Required: Yes

Instructions:

1. Log into My Cloud web interface. 2. Navigate to Settings > Firmware. 3. Check for updates and install version 5.06.115 or later. 4. Reboot the device after installation completes.

🔧 Temporary Workarounds

Network Isolation

all

Block all external access to the My Cloud device at the firewall level

Disable Web Interface

all

Temporarily disable the web administration interface if not needed

🧯 If You Can't Patch

Immediately disconnect the device from the internet and isolate it on a separate VLAN
Implement strict firewall rules to only allow necessary traffic from trusted IP addresses

🔍 How to Verify

Check if Vulnerable:

Check the firmware version in the My Cloud web interface under Settings > Firmware. If version is below 5.06.115, the device is vulnerable.

Check Version:

Check via web interface: Settings > Firmware, or via SSH if enabled: cat /etc/version

Verify Fix Applied:

Confirm firmware version shows 5.06.115 or higher in the web interface after patching.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication attempts, unexpected PHP file uploads, administrative actions from unauthenticated IPs

Network Indicators:

HTTP requests with suspicious cookie values, POST requests to upload endpoints from unauthenticated sources

SIEM Query:

source="mycloud.log" AND ("authentication bypass" OR "cookie manipulation" OR "unauthorized upload")

📊 Metadata

CVE ID: CVE-2020-28970

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: December 1, 2020

Last Updated: November 21, 2024

🔗 References

https://support.wdc.com/downloads.aspx?g=907&lang=en#downloads Patch,Vendor Advisory
https://www.westerndigital.com/support/productsecurity/wdc-20009-os5-firmware-5-06-115 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-20-1448/ Third Party Advisory,VDB Entry
https://support.wdc.com/downloads.aspx?g=907&lang=en#downloads Patch,Vendor Advisory
https://www.westerndigital.com/support/productsecurity/wdc-20009-os5-firmware-5-06-115 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-20-1448/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28970, you might also want to check these: