There are several different Western Digital MyCloud Network Attached Storage (NAS) devices that are affected by many different security flaws. Ranging from attackers being able to bypass authentication to being able to upload and download data.

This was discovered by a security researcher who goes by the handle Zenofex. These flaws have not been reported to Western Digital, still haven’t been patched and half of the exploit code is available online. So far there have been 85 different flaws found.

These are the affected NAS devices –

My Cloud

My Cloud Gen 2

My Cloud Mirror

My Cloud PR2100

My Cloud PR4100

My Cloud EX2 Ultra

My Cloud EX2

My Cloud EX4

My Cloud EX2100

My Cloud EX4100

My Cloud DL2100

My Cloud DL4100

Zenofex decided to not tell Western Digital after he had attended a security conference last year where he found out WD doesn’t seem to pay any attention to vulnerability reports.

Some of the exploits are done by embedding shell commands in a cookie. Others can gain control of the device just by having a user visit a website that has the exploit code inside image tags. The worst one, where hackers can bypass the authentication by modifying cookie session parameters.