Vulnerability Description
Western Digital WD My Book Live and WD My Book Live Duo (all versions) have a root Remote Command Execution bug via shell metacharacters in the /api/1.0/rest/language_configuration language parameter. It can be triggered by anyone who knows the IP address of the affected device, as exploited in the wild in June 2021 for factory reset commands,
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Westerndigital | My Book Live Firmware | All versions |
| Westerndigital | My Book Live | - |
Related Weaknesses (CWE)
References
- https://community.wd.com/t/action-required-on-my-book-live-and-my-book-live-duo/
- https://www.westerndigital.com/support/productsecurity/wdc-21008-recommended-sec
- https://www.wizcase.com/blog/hack-2018/Third Party Advisory
- https://community.wd.com/t/action-required-on-my-book-live-and-my-book-live-duo/
- https://www.westerndigital.com/support/productsecurity/wdc-21008-recommended-sec
- https://www.wizcase.com/blog/hack-2018/Third Party Advisory
FAQ
What is CVE-2018-18472?
CVE-2018-18472 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Western Digital WD My Book Live and WD My Book Live Duo (all versions) have a root Remote Command Execution bug via shell metacharacters in the /api/1.0/rest/language_configuration language parameter....
How severe is CVE-2018-18472?
CVE-2018-18472 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2018-18472?
Check the references section above for vendor advisories and patch information. Affected products include: Westerndigital My Book Live Firmware, Westerndigital My Book Live.