Vulnerabilities in Twonky e.g. exposes dir and filenames on HDD root (CVE-2018-7171, CVE-2018-7203)

Recently two CVEs CVE-2018-7171 and CVE-2018-7203 have been published where one can be exploited with tools like to get access to the name of session files stored on the filesystem and to misuse it to login into the device.

I have verified the CVE-2018-7171 with the linked above and can confirm that Twonky 7.2.9-6 shipped with the My Cloud Mirror Gen1 in Firmware version 2.11.169 (01/12/18) is affected by this vulnerability.

The advisory lists additional MyCloud devices to be vulnerable:


To mitigate this vulnerability you can browse to:


and set a strong password via the advanced settings. This blocks access to the rpc methods used to exploit this vulnerability.