CVE Tools
Sign in

CVE-2022-23000

Weak Default SSL use in Port Forwarding Service

Published: Jul 25, 2022Updated: Nov 21, 2024 Sources: CVE List NVD BDUCWE-757
NVD MITRE
7.3CVSSHIGH
EPSS Score
0.2%
Top 92.0%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

The Western Digital My Cloud Web App [https://os5.mycloud.com/] uses a weak SSLContext when attempting to configure port forwarding rules. This was enabled to maintain compatibility with old or outdated home routers. By using an "SSL" context instead of "TLS" or specifying stronger validation, deprecated or insecure protocols are permitted. As a result, a local user with no privileges can exploit this vulnerability and jeopardize the integrity, confidentiality and authenticity of information transmitted. The scope of impact cannot extend to other components and no user input is required to exploit this vulnerability.

CVSS Vector Breakdown

AV:LAC:LPR:NUI:NS:UC:LI:HA:L
Exploitability
AV:LAttack Vector
Local
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:LConfidentiality
Low
I:HIntegrity
High
A:LAvailability
Low
Open in CVSS calculator →

Weaknesses

CWE-757NVD-CWE-Other

Affected Products

My CloudWestern Digital
On-prem
Hardware Firmware / storage-nas
My Cloud PR2100Western Digital CorporationHardware Firmware
My Cloud PR4100Western Digital CorporationHardware Firmware
My Cloud EX4100Western Digital CorporationHardware Firmware
My Cloud EX2 UltraWestern Digital CorporationHardware Firmware
western digitalcommercialUSHardware Firmwareaka western digital
western digital corporationcommercialUSHardware Firmwareaka western digital
and 13 more affected products View all →

Exploitability

Official Patch Available

References

https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmware-version-5-23-114
westerndigital.com
https://nvd.nist.gov/vuln/detail/CVE-2022-23000
nvd.nist.gov

Timeline

Published
Jul 25, 2022
Last Updated
Nov 21, 2024

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2022-23000 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows