Cyber Resilience

CVE-2022-23000

High

Published: 25 July 2022

Published
25 July 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
EPSS Score 0.0013 31.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-23000 is a high-severity Algorithm Downgrade (CWE-757) vulnerability in Westerndigital My Cloud Pr2100 Firmware. Its CVSS base score is 7.3 (High).

Operationally, ranked at the 31.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

The Western Digital My Cloud Web App [https://os5.mycloud.com/] uses a weak SSLContext when attempting to configure port forwarding rules. This was enabled to maintain compatibility with old or outdated home routers. By using an "SSL" context instead of "TLS" or…

more

specifying stronger validation, deprecated or insecure protocols are permitted. As a result, a local user with no privileges can exploit this vulnerability and jeopardize the integrity, confidentiality and authenticity of information transmitted. The scope of impact cannot extend to other components and no user input is required to exploit this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

westerndigital
my cloud pr2100 firmware
≤ 5.23.114
westerndigital
my cloud pr4100 firmware
≤ 5.23.114
westerndigital
my cloud ex4100 firmware
≤ 5.23.114
westerndigital
my cloud ex2 ultra firmware
≤ 5.23.114
westerndigital
my cloud mirror g2 firmware
≤ 5.23.114
westerndigital
my cloud dl2100 firmware
≤ 5.23.114
westerndigital
my cloud dl4100 firmware
≤ 5.23.114
westerndigital
my cloud ex2100 firmware
≤ 5.23.114
westerndigital
my cloud firmware
≤ 5.23.114

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References