Connect with us

Hi, what are you looking for?


Endpoint Security

Western Digital Blocks Unpatched Devices From Cloud Services

Western Digital is blocking access to its cloud services for devices running firmware versions impacted by a critical security vulnerability.

Western Digital has blocked access to its cloud services for devices running firmware versions impacted by a known and critical security vulnerability.

The move, which began on June 15, comes one month after the company released firmware updates for its My Cloud product line to address multiple security defects, including a critical path traversal bug that leads to remote code execution (RCE).

The issue is tracked as CVE-2022-36327 and carries CVSS severity score of 9.8/10. According to a NIST advisory, the flaw “could allow an attacker to write files to locations with certain critical filesystem types.”

The flaw impacts Western Digital’s My Cloud Home, My Cloud Home Duo, SanDisk ibi, and My Cloud OS 5 devices and requires the attackers to first trigger an authentication bypass vulnerability.

On May 15, Western Digital released My Cloud OS 5 firmware version 5.26.202 to resolve this bug and three other medium-severity issues, including an uncontrolled resource consumption flaw leading to denial-of-service (DoS), a path traversal issue leading to sensitive information disclosure, and a server-side request forgery (SSRF) bug leading to the exploitation of other vulnerabilities.

On May 26, the company released firmware version 9.4.1-101 to resolve the SSRF bug in My Cloud Home, My Cloud Home Duo, and SanDisk ibi devices.

Starting June 15, devices running firmware versions prior to 5.26.202 or 9.4.1-101 can no longer connect to Western Digital cloud services, the company notes in an advisory.

Advertisement. Scroll to continue reading.

While My Cloud OS 5 users can still access their data on these devices locally, My Cloud Home, My Cloud Home Duo, and SanDisk ibi users will not be able to access their data until they update their devices to the latest firmware release, the company explains.

By blocking unpatched devices from accessing My Cloud services, Western Digital essentially prevents them from falling victim to cyberattacks that could potentially lead to severe data compromise.

Related: Western Digital Confirms Ransomware Group Stole Customer Information

Related: Western Digital Shuts Down Services Due to Cybersecurity Breach

Related: Western Digital Finds Replay Attack Protection Flaw Affecting Multiple Vendors

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.