CVE-2022-29844
Published: 26 January 2023
Summary
CVE-2022-29844 is a medium-severity Relative Path Traversal (CWE-23) vulnerability in Westerndigital My Cloud Pr2100 Firmware. Its CVSS base score is 6.7 (Medium).
Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A vulnerability in the FTP service of Western Digital My Cloud OS 5 devices allows an unauthenticated attacker to read and write arbitrary files on affected systems. The flaw, tracked as CVE-2022-29844 and assigned CWE-23 and CWE-22, impacts firmware versions prior to 5.26.119 and carries a CVSS 3.1 score of 6.7 reflecting local attack vector, high attack complexity, and no required privileges or user interaction.
An attacker who can reach the FTP service can leverage the path traversal issue to access or modify files outside intended directories. Successful exploitation can result in full NAS compromise and remote code execution on the device.
Western Digital’s advisory WDC-23002 directs users to upgrade to firmware version 5.26.119, which resolves the issue. The CVE’s EPSS score reached a peak of 0.6138 and currently stands at 0.5342, indicating sustained moderate exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-34162
Vulnerability details
A vulnerability in the FTP service of Western Digital My Cloud OS 5 devices running firmware versions prior to 5.26.119 allows an attacker to read and write arbitrary files. This could lead to a full NAS compromise and would give…
more
remote execution capabilities to the attacker.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.