CVE-2021-36226 – Western Digital My Cloud devices running firmwa... (How to Fix)

Q: What is the severity of CVE-2021-36226?

CVE-2021-36226 has a CVSS score of 9.8 (CRITICAL). Western Digital My Cloud devices running firmware before OS5 lack cryptographic signature verification for firmware updates, allowing attackers to upload and execute malicious firmware. This affects all users of My Cloud devices with firmware versions prior to OS5, potentially compromising the entire device and stored data.

📋 TL;DR

Western Digital My Cloud devices running firmware before OS5 lack cryptographic signature verification for firmware updates, allowing attackers to upload and execute malicious firmware. This affects all users of My Cloud devices with firmware versions prior to OS5, potentially compromising the entire device and stored data.

💻 Affected Systems

Products:

Western Digital My Cloud NAS devices

Versions: All firmware versions before OS5

Operating Systems: Western Digital My Cloud OS

Default Config Vulnerable: ⚠️ Yes

Notes: All My Cloud devices with firmware prior to OS5 are vulnerable by default. OS5 introduced firmware signature verification.

📦 What is this software?

My Cloud Os by Westerndigital

View all CVEs affecting My Cloud Os →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover with persistent malware installation, data theft/encryption, and use as a foothold into the network.

🟠

Likely Case

Remote code execution leading to data compromise, ransomware deployment, or device bricking.

🟢

If Mitigated

Limited impact if device is isolated and firmware updates are controlled.

🌐 Internet-Facing: HIGH - Devices exposed to internet are directly vulnerable to remote exploitation.

🏢 Internal Only: MEDIUM - Requires internal network access but still exploitable via phishing or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept exists from Pwn2Own Tokyo 2020. Exploitation requires network access to device's web interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OS5 firmware or later

Vendor Advisory: https://www.westerndigital.com/support/product-security/wdc-21006-my-cloud-firmware-update-version-5-04-114

Restart Required: Yes

Instructions:

1. Backup all data. 2. Log into My Cloud web interface. 3. Navigate to Settings > Firmware. 4. Check for and install OS5 update. 5. Device will reboot automatically.

🔧 Temporary Workarounds

Network Isolation

all

Block My Cloud device from internet access and restrict to internal network only.

Firewall Rules

linux

Block access to My Cloud web interface ports (typically 80/443) from untrusted networks.

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Disable remote access features and ensure device is only accessible from trusted internal networks.
Implement strict network segmentation and monitor for unusual firmware update attempts.

🔍 How to Verify

Check if Vulnerable:

Check firmware version in My Cloud web interface under Settings > Firmware. If version starts with 4.x or lower, device is vulnerable.

Check Version:

curl -k https://[device-ip]/api/2.1/rest/system_info | grep firmware_version

Verify Fix Applied:

Verify firmware version shows OS5.x or higher in Settings > Firmware.

📡 Detection & Monitoring

Log Indicators:

Unexpected firmware update attempts
Unauthorized file uploads to firmware endpoints
System reboots without user action

Network Indicators:

HTTP POST requests to /api/2.1/rest/firmware_update
Unusual outbound connections from My Cloud device

SIEM Query:

source="mycloud.log" AND ("firmware_update" OR "upload" AND "firmware")

📊 Metadata

CVE ID: CVE-2021-36226

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-347

Published: February 6, 2023

Last Updated: March 26, 2025

🔗 References

https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2020/weekend_destroyer/weekend_destroyer.md Exploit,Patch,Third Party Advisory
https://krebsonsecurity.com/2021/07/another-0-day-looms-for-many-western-digital-users/ Exploit,Patch,Third Party Advisory
https://www.youtube.com/watch?v=vsg9YgvGBec Exploit,Patch,Third Party Advisory
https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2020/weekend_destroyer/weekend_destroyer.md Exploit,Patch,Third Party Advisory
https://krebsonsecurity.com/2021/07/another-0-day-looms-for-many-western-digital-users/ Exploit,Patch,Third Party Advisory
https://www.youtube.com/watch?v=vsg9YgvGBec Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36226, you might also want to check these: