Critical Command Injection Flaw Puts Western Digital My Cloud NAS Devices at Risk

A critical security vulnerability in Western Digital's popular My Cloud network-attached storage (NAS) devices allows remote attackers to execute arbitrary system commands without authentication. Tracked as CVE-2025-30247, this OS command injection flaw resides in the device's web interface and can be exploited by sending specially crafted HTTP POST requests to vulnerable endpoints. Security researcher 'w1th0ut' discovered and reported the flaw, prompting Western Digital to release emergency firmware updates.

The Vulnerability Mechanics

Attackers can weaponize this flaw by manipulating HTTP parameters to inject malicious shell commands. Successful exploitation grants full system-level access to the NAS device, enabling:
- Unauthorized file access, modification, or deletion
- User enumeration and configuration tampering
- Execution of malicious binaries
- Deployment of ransomware or cryptocurrency miners
- Enlistment into DDoS botnets

"Historical attacks on NAS devices show criminals actively exploit these flaws for data harvesting, proxy networks, and extortion," notes the security advisory. "Immediate patching is non-negotiable."

Affected Devices and Patch Status

The vulnerability impacts all firmware versions prior to 5.31.108 on these models:

My Cloud PR2100      My Cloud EX4100
My Cloud PR4100      My Cloud EX2 Ultra
My Cloud DL2100*     My Cloud Mirror Gen 2
My Cloud EX2100      My Cloud WDBCTLxxxxxx-10
My Cloud DL4100*

*Denotes end-of-support (EoS) devices with uncertain patch availability. Western Digital's advisory provides no mitigation guidance for these models.

Urgent Mitigation Steps

1. Patch immediately: Devices with auto-update enabled should have received firmware 5.31.108 since September 23. Verify under Settings > Firmware Update.
2. Manual update: Download the correct firmware from WD's repository and upload via Settings > Firmware Update > Update From File.
3. Offline isolation: If patching isn't feasible, disconnect devices from the internet immediately. They remain usable in local LAN mode.

The Bigger Picture

This vulnerability underscores persistent risks in consumer-grade cloud storage appliances. Despite targeting home offices and individual users, these devices often contain sensitive personal and work data. Their 'set-and-forget' nature makes them prime targets for large-scale attacks. As one security engineer observes: "Your NAS is a treasure chest sitting on your network perimeter. One unpatched service turns it into a threat actor's beachhead."

Source: BleepingComputer