Login Sign Up

CVE-2021-35941

7.5 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows unauthenticated attackers to trigger a factory reset on Western Digital My Book Live and My Book Live Duo network storage devices via an administrator API. This results in complete data loss and device compromise. All users of affected devices are at risk.

💻 Affected Systems

Products:
  • Western Digital WD My Book Live
  • Western Digital WD My Book Live Duo
Versions: My Book Live: 2.x and later; My Book Live Duo: all versions
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable. This is distinct from CVE-2018-18472.

📦 What is this software?

Wd My Book Live Duo Firmware by Westerndigital

View all CVEs affecting Wd My Book Live Duo Firmware →

Wd My Book Live Firmware by Westerndigital

View all CVEs affecting Wd My Book Live Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete data loss, device bricking, and potential ransomware deployment or credential theft if attackers restore to malicious firmware.

🟠

Likely Case

Mass data wiping and device compromise as seen in real-world attacks in June 2021.

🟢

If Mitigated

No impact if devices are properly isolated or patched.

🌐 Internet-Facing: HIGH - Devices exposed to the internet were mass-wiped in real attacks.
🏢 Internal Only: MEDIUM - Still vulnerable to internal threats but less likely to be targeted.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Actively exploited in the wild in June 2021. Simple HTTP request to vulnerable API endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://www.westerndigital.com/support/productsecurity/wdc-21008-recommended-security-measures-wd-mybooklive-wd-mybookliveduo

Restart Required: No

Instructions:

No official patch exists. Western Digital recommends disconnecting devices from internet and backing up data immediately.

🔧 Temporary Workarounds

Network Isolation

all

Disconnect device from internet and place behind firewall with no inbound access.

Block API Access

linux

Block HTTP/HTTPS access to device at firewall level.

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

  • Immediately disconnect device from any network and power off.
  • Perform full backup of all data and migrate to a supported, secure storage solution.

🔍 How to Verify

Check if Vulnerable:

Check if device model is WD My Book Live (2.x+) or WD My Book Live Duo (any version). If exposed to network, it is vulnerable.

Check Version:

Check device web interface or serial/model number on physical unit.

Verify Fix Applied:

No fix available to verify. Ensure device is completely isolated from networks.

📡 Detection & Monitoring

Log Indicators:

  • HTTP POST requests to /api/1.0/restore_factory_defaults endpoint
  • Unexpected factory reset events in system logs

Network Indicators:

  • HTTP traffic to device on ports 80/443 with POST requests to factory reset API

SIEM Query:

source="mybooklive" AND (uri="/api/1.0/restore_factory_defaults" OR event="factory reset")

📊 Metadata

CVE ID: CVE-2021-35941
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-306
Published: June 29, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-35941, you might also want to check these:

CVE-2025-32433 10.0

This CVE describes a critical vulnerability in Erlang/OTP's SSH server that allows unauthenticated r...

Same vulnerability type (CWE-306)
CVE-2026-23693 10.0

The ElementsKit Lite WordPress plugin versions before 3.7.9 expose an unauthenticated REST endpoint ...

Same vulnerability type (CWE-306)
CVE-2025-58083 10.0

The General Industrial Controls Lynx+ Gateway has a critical authentication bypass vulnerability in ...

Same vulnerability type (CWE-306)