Recently two CVEs CVE-2018-7171 and CVE-2018-7203 have been published where one can be exploited with tools like sharingIsCaring/twonky.py at master · mechanico/sharingIsCaring · GitHub to get access to the name of session files stored on the filesystem and to misuse it to login into the device.
I have verified the CVE-2018-7171 with the twonky.py linked above and can confirm that Twonky 7.2.9-6 shipped with the My Cloud Mirror Gen1 in Firmware version 2.11.169 (01/12/18) is affected by this vulnerability.
The advisory lists additional MyCloud devices to be vulnerable:
WDMyCloud,
MyCloudEX2Ultra,
WDMyCloudEX4,
WDMyCloudEX2100,
To mitigate this vulnerability you can browse to:
and set a strong password via the advanced settings. This blocks access to the rpc methods used to exploit this vulnerability.
