Cyber Resilience

CVE-2022-29844

Medium

Published: 26 January 2023

Published
26 January 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.5342 98.0th percentile
Risk Priority 45 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-29844 is a medium-severity Relative Path Traversal (CWE-23) vulnerability in Westerndigital My Cloud Pr2100 Firmware. Its CVSS base score is 6.7 (Medium).

Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A vulnerability in the FTP service of Western Digital My Cloud OS 5 devices allows an unauthenticated attacker to read and write arbitrary files on affected systems. The flaw, tracked as CVE-2022-29844 and assigned CWE-23 and CWE-22, impacts firmware versions prior to 5.26.119 and carries a CVSS 3.1 score of 6.7 reflecting local attack vector, high attack complexity, and no required privileges or user interaction.

An attacker who can reach the FTP service can leverage the path traversal issue to access or modify files outside intended directories. Successful exploitation can result in full NAS compromise and remote code execution on the device.

Western Digital’s advisory WDC-23002 directs users to upgrade to firmware version 5.26.119, which resolves the issue. The CVE’s EPSS score reached a peak of 0.6138 and currently stands at 0.5342, indicating sustained moderate exploitation interest since disclosure.

EU & UK References

Vulnerability details

A vulnerability in the FTP service of Western Digital My Cloud OS 5 devices running firmware versions prior to 5.26.119 allows an attacker to read and write arbitrary files. This could lead to a full NAS compromise and would give…

more

remote execution capabilities to the attacker.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

westerndigital
my cloud pr2100 firmware
≤ 5.26.119
westerndigital
my cloud pr4100 firmware
≤ 5.26.119
westerndigital
my cloud ex4100 firmware
≤ 5.26.119
westerndigital
my cloud ex2 ultra firmware
≤ 5.26.119
westerndigital
my cloud mirror g2 firmware
≤ 5.26.119
westerndigital
my cloud dl2100 firmware
≤ 5.26.119
westerndigital
my cloud dl4100 firmware
≤ 5.26.119
westerndigital
my cloud ex2100 firmware
≤ 5.26.119

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References