{"api_version":"1","generated_at":"2026-06-01T09:40:57+00:00","cve":"CVE-2016-10108","urls":{"html":"https://cve.report/CVE-2016-10108","api":"https://cve.report/api/cve/CVE-2016-10108.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2016-10108","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2016-10108"},"summary":{"title":"CVE-2016-10108","description":"Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter in the POST data.","state":"PUBLISHED","assigner":"mitre","published_at":"2017-01-03 06:59:00","updated_at":"2026-05-06 22:30:45"},"problem_types":["CWE-77","n/a"],"metrics":[{"version":"3.0","source":"nvd@nist.gov","type":"Primary","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"10","severity":"","vector":"AV:N/AC:L/Au:N/C:C/I:C/A:C","data":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:C/I:C/A:C","baseScore":10,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE"}}],"references":[{"url":"http://packetstormsecurity.com/files/173802/Western-Digital-MyCloud-Unauthenticated-Command-Injection.html","name":"http://packetstormsecurity.com/files/173802/Western-Digital-MyCloud-Unauthenticated-Command-Injection.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"Western Digital MyCloud Unauthenticated Command Injection ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.stevencampbell.info/2016/12/command-injection-in-western-digital-mycloud-nas/","name":"https://www.stevencampbell.info/2016/12/command-injection-in-western-digital-mycloud-nas/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory"],"title":"Command Injection vulnerability in Western Digital MyCloud NAS – Steven Campbell – Security Analyst, OSCP, OSWP","mime":"text/html","httpstatus":"404","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/95200","name":"http://www.securityfocus.com/bid/95200","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"Western Digital MyCloud NAS CVE-2016-10108 Remote Command Injection Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2016-10108","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-10108","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2016","cve_id":"10108","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"western_digital","cpe5":"mycloud_nas","cpe6":"2.11.142","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[{"cvename":"CVE-2016-10108","organization":"Western Digital","lastmodified":"2017-01-09","contributor":"Western Digital","statementText":"This was resolved via My Cloud product firmware update 2.11.157 for the My Cloud EX2, EX4, and Mirror (Gen 1) models, and My Cloud product firmware update 2.21.126 for all other affected My Cloud models (My Cloud, PR 4100, PR2100, DL4100, DL2100, EX4100, EX2100, EX2 Ultra models). The firmware updates were made available December 20, 2016. The product firmware updates are available through the Update Firmware option on the My Cloud device itself or from the specific My Cloud product model’s support page at: http://support.wdc.com/downloads.aspx?g=904&lang=en#downloads .","cve_year":"2016","cve_id":"10108","crc32":"b60af018"}],"enrichments":{"kev":null,"epss":{"cve_year":"2016","cve_id":"10108","cve":"CVE-2016-10108","epss":"0.921700000","percentile":"0.997200000","score_date":"2026-05-11","updated_at":"2026-05-12 00:01:18"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-06T03:07:32.166Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_transferred"],"url":"https://www.stevencampbell.info/2016/12/command-injection-in-western-digital-mycloud-nas/"},{"name":"95200","tags":["vdb-entry","x_transferred"],"url":"http://www.securityfocus.com/bid/95200"},{"tags":["x_transferred"],"url":"http://packetstormsecurity.com/files/173802/Western-Digital-MyCloud-Unauthenticated-Command-Injection.html"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"datePublic":"2017-01-03T00:00:00.000Z","descriptions":[{"lang":"en","value":"Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter in the POST data."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2023-07-28T00:00:00.000Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"url":"https://www.stevencampbell.info/2016/12/command-injection-in-western-digital-mycloud-nas/"},{"name":"95200","tags":["vdb-entry"],"url":"http://www.securityfocus.com/bid/95200"},{"url":"http://packetstormsecurity.com/files/173802/Western-Digital-MyCloud-Unauthenticated-Command-Injection.html"}]}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2016-10108","datePublished":"2017-01-03T00:00:00.000Z","dateReserved":"2017-01-03T00:00:00.000Z","dateUpdated":"2024-08-06T03:07:32.166Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2017-01-03 06:59:00","lastModifiedDate":"2026-05-06 22:30:45","problem_types":["CWE-77","n/a"],"metrics":{"cvssMetricV30":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:C/I:C/A:C","baseScore":10,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE"},"baseSeverity":"HIGH","exploitabilityScore":10,"impactScore":10,"acInsufInfo":false,"obtainAllPrivilege":true,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:western_digital:mycloud_nas:2.11.142:*:*:*:*:*:*:*","matchCriteriaId":"4E266118-1758-4B64-A160-42FFD3869274"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2016","CveId":"10108","Ordinal":"1","Title":"CVE-2016-10108","CVE":"CVE-2016-10108","Year":"2016"},"notes":[{"CveYear":"2016","CveId":"10108","Ordinal":"1","NoteData":"Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter in the POST data.","Type":"Description","Title":"CVE-2016-10108"},{"CveYear":"2016","CveId":"10108","Ordinal":"2","NoteData":"2017-01-03","Type":"Other","Title":"Published"},{"CveYear":"2016","CveId":"10108","Ordinal":"3","NoteData":"2017-01-04","Type":"Other","Title":"Modified"}]}}}