Cyber Resilience

CVE-2023-22815

MediumRCE

Published: 30 June 2023

Published
30 June 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.2 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H
EPSS Score 0.0037 59.3th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-22815 is a medium-severity OS Command Injection (CWE-78) vulnerability in Westerndigital My Cloud Os. Its CVSS base score is 6.2 (Medium).

Operationally, ranked in the top 40.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Post-authentication remote command injection vulnerability in Western Digital My Cloud OS 5 devices that could allow an attacker to execute code in the context of the root user on vulnerable CGI files. This vulnerability can only be exploited over the…

more

network and the attacker must already have admin/root privileges to carry out the exploit. An authentication bypass is required for this exploit, thereby making it more complex. The attack may not require user interaction. Since an attacker must already be authenticated, the confidentiality impact is low while the integrity and availability impact is high. This issue affects My Cloud OS 5 devices: before 5.26.300.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

westerndigital
my cloud os
≤ 5.26.300

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References