CVE-2018-18472
moderate-risk
Published 2019-06-19
Western Digital WD My Book Live and WD My Book Live Duo (all versions) have a root Remote Command Execution bug via shell metacharacters in the /api/1.0/rest/language_configuration language parameter. It can be triggered by anyone who knows the IP address of the affected device, as exploited in the wild in June 2021 for factory reset commands,
Do I need to act?
~
7.9% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (1)
My Book Live Firmware
Affected Vendors
References (6)
Third Party Advisory
https://www.wizcase.com/blog/hack-2018/
Third Party Advisory
https://www.wizcase.com/blog/hack-2018/
47
/ 100
moderate-risk
Severity
32/34 · Critical
Exploitability
10/34 · Low
Exposure
5/34 · Minimal