The Western Digital Discovery app, a well-known provider of storage devices, has a vulnerability identified as CVE 2024-22169 with a CVSS base score of 7.1 that allows for code execution.
The security vulnerability arises due to the Node.js environment settings in the WD Discovery App. Utilizing the ELECTRON_RUN_AS_NODE environment variable might allow code execution.
In particular, the vulnerability allows code execution within the context of WD Discovery applications and can be abused by any malicious application running with usual user permissions.
“Any malicious application operating with standard user permissions can exploit this vulnerability, enabling code execution within the WD Discovery application’s context,” the company said.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide
Yoko Kho, AbdulKarim, and Fahad Alamri of the HakTrak Cybersecurity Team were notified of the issue. This vulnerability affects all WD Discovery Desktop App users earlier than 5.0.589. Both Windows and macOS users are impacted by the issue.
Fix Available
Western Digital urges users to upgrade their WD Discovery app to version 5.0.589 or higher on both Windows and Mac devices as soon as possible.
WD Discovery version 5.0.589 addresses this issue by “disabling certain features and fuses in Electron.”
Users can download the most recent version from the WD Discovery Downloads page, accept the update automatically, or follow the directions on the WD Discovery Online User Guide.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access