A zero-day vulnerability in Western Digital My Book Live NAS devices allowed a threat actor to perform mass-factory resets of devices last week, leading to data loss.

Last week, we broke the story that Western Digital My Book Live NAS owners suddenly discovered that their stored files had mysteriously disappeared. Unfortunately, the factory reset also reset the admin passwords, so users could not log in to their devices via the web dashboard or SSH.

After some users analyzed the device’s logs, they found that on June 24th, a script called factoryRestore.sh was executed on their devices, which wiped the device’s files.

Jun 24 00:26:53 MyBookLive factoryRestore.sh: begin script:
Jun 24 00:26:53 MyBookLive shutdown[5033]: shutting down for system reboot
Jun 24 00:26:53 MyBookLive logger: exit standby after 9674 (since 2021-06-23 21:45:39.926803414 +0100)

Western Digital had originally told BleepingComputer that the attacks were being conducted through a 2018 vulnerability tracked as CVE-2018-18472, which was not fixed as the device has been out of support since 2015.

It turns out that while threat actors used this vulnerability in attacks against My Book Live devices, it was actually a different zero-day vulnerability responsible for the factory resets.

Zero-day used to perform factory resets

A report by Censys CTO Derek Abdine revealed that the latest firmware for My Book Live devices contained a zero-day vulnerability that allowed a remote attacker to perform factory resets on Internet-connected devices.

While performing factory resets is commonly allowed via remote administration consoles, they always require an admin to authenticate themselves to the device first.

In the aptly named system_factory_restore script in the My Book Live’s firmware, the authentication checks were commented o