The security researcher, known as Zenofex, discovered a total of 85 vulnerabilities of varying severity, including critical, in the MyCloud network devices of Western Digital.

According to the expert, the problems affect the following models: My Cloud, My Cloud Gen 2, My Cloud Mirror, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 and My Cloud DL4100.

Some of the identified problems allow remote execution of code on the target device, as well as access to user data.

A significant number of detected vulnerabilities can be exploited by changing the values ??of cookies or embedding shell commands in cookies. More complex attacks involve the introduction of malicious code into image tags on sites visited by owners of vulnerable devices WD My Cloud. As a result, an attacker can gain control of the device.

According to Zenofex, the most dangerous vulnerability, allowing to bypass the authentication mechanism, is easier to exploit. To do this, you just need to modify the parameters of the session cookie.

The researcher decided not to inform Western Digital about the vulnerabilities he found after talking to other experts at the Black Hat USA 2016 conference, who repeatedly complained that WD constantly ignores messages about vulnerabilities.

"Due to ignoring these problems, vulnerable devices will stay online for longer. We want to draw the community's attention to vulnerabilities and hope that users will limit public access to their networks where possible, "says Zenofex.

The researcher published the PoC-code to 48 vulnerabilities, and also presented a video demonstrating the operation of a number of problems.