Skip to content


Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time
May 22, 2019

WD My Cloud RCE PoC Exploit

Tested on WD My Cloud EX2 Ultra versions 2.31.149 and 2.31.163. Should work on other MyCloud models.

for the write-up go here.

Authentication bypass to acquire user-session (CVE-2019-9950)

  • login_mgr.cgi matches credentials against /etc/shadow, therefore the "nobody" account can be used to gain a low-privilege user session by providing "nobody"'s default, empty password.

Root-RCE using low-privilege session (CVE-2019-9949)

  1. cgi-bin/webfile_mgr.cgi allows an attacker in the same network to perform command injection by abusing the "name" parameter to the cgi_unzip command.

  2. cgi-bin/webfile_mgr.cgi allows an attacker in the same network to issue the cgi_untar command on a user-controlled archive to create a persistent symbolic link on the filesystem which can be written into by issuing the command again.

Unauthenticated file upload (CVE-2019-9951)

The page web/jquery/uploader/uploadify.php can be accesses without any credentials and allows uploading arbitrary files to any location on the attached storage under either:

  • /mnt/HD
  • /mnt/USB
  • /mnt/isoMount

Disclosure timeline

  • 2019-01-20 🍄 reported to with 30-day deadline
  • 2019-01-22 ᴡᴅ sent an automated(?) response
  • 2019-02-05 🍄 requested comfirmation of issues
  • 2019-02-06 ᴡᴅ asked for 90 days to fix the issues
  • 2019-03-05 🍄 requested status update
  • 2019-03-15 ᴡᴅ asked for additional 90-day extension
  • 2019-03-16 🍄 agreed on 30-day extension
  • 2019-03-27 ᴡᴅ released first patch (CVE-2019-9950, CVE-2019-9951)
  • 2019-05-20 ᴡᴅ release of second patch (CVE-2019-9949)
  • 2019-05-22 🍄 public disclosure


No releases published


No packages published