From bleepingcomputer.com
Western Digital has released new My Cloud OS firmware to fix a vulnerability exploited by bug hunters during the Pwn2Own 2021 hacking competition to achieve remote code execution.
The flaw, tracked as CVE-2022-23121, was exploited by the NCC Group’s EDG team members and relied on the open-source service named “Netatalk Service” that was included in My Cloud OS.
The vulnerability, which has a CVSS v3 severity score of 9.8, allows remote attackers to execute arbitrary code on the target device, in this case, WD PR4100 NAS, without requiring authentication.