CVE-2022-22999
📋 TL;DR
Western Digital My Cloud devices contain a cross-site scripting (XSS) vulnerability that allows authenticated attackers with elevated privileges to inject malicious JavaScript into other users' browsers. This could lead to session hijacking, data theft, or unauthorized configuration changes. The vulnerability affects My Cloud devices with specific firmware versions.
💻 Affected Systems
- Western Digital My Cloud devices
📦 What is this software?
My Cloud Dl2100 Firmware by Westerndigital
My Cloud Dl4100 Firmware by Westerndigital
My Cloud Ex2100 Firmware by Westerndigital
My Cloud Ex4100 Firmware by Westerndigital
My Cloud Pr2100 Firmware by Westerndigital
My Cloud Pr4100 Firmware by Westerndigital
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full control over authenticated user sessions, steals sensitive backup data, modifies device settings, redirects users to malicious sites, and potentially compromises other connected systems.
Likely Case
Privileged insider or compromised admin account injects malicious scripts to steal session cookies or credentials from other users, leading to unauthorized access to backup data.
If Mitigated
With proper access controls and network segmentation, impact is limited to isolated My Cloud device with no sensitive data exposure.
🎯 Exploit Status
Exploitation requires authenticated access with elevated privileges. XSS payloads can be crafted to target specific authenticated users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware version 5.23.114
Vendor Advisory: https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmware-version-5-23-114
Restart Required: Yes
Instructions:
1. Log into My Cloud web interface. 2. Navigate to Settings > Firmware Update. 3. Check for updates and install version 5.23.114 or later. 4. Reboot device after installation.
🔧 Temporary Workarounds
Restrict Web Interface Access
allLimit access to My Cloud web interface to trusted networks only
Configure firewall rules to restrict access to My Cloud device on ports 80/443
Implement Content Security Policy
allAdd CSP headers to restrict script execution
Add 'Content-Security-Policy' header with script-src directives
🧯 If You Can't Patch
- Isolate My Cloud device on separate VLAN with strict access controls
- Implement web application firewall with XSS protection rules
- Disable unnecessary user accounts and enforce strong authentication
- Regularly monitor for suspicious activity in web interface logs
🔍 How to Verify
Check if Vulnerable:
Check firmware version in My Cloud web interface under Settings > Firmware UpdateCheck Version:
curl -k https://[mycloud-ip]/api/2.0/system?method=get_info | grep firmware_versionVerify Fix Applied:
Confirm firmware version is 5.23.114 or later in Settings > Firmware Update📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript payloads in web server logs
- Multiple failed authentication attempts followed by successful admin login
- Suspicious POST requests to web interface endpoints
Network Indicators:
- Unusual outbound connections from My Cloud device
- Traffic patterns suggesting data exfiltration
- Unexpected redirects in HTTP responses
SIEM Query:
source="mycloud-logs" AND (http_uri="*<script>*" OR http_user_agent="*javascript:*" OR http_referer="*javascript:*")