Western Digital has released a critical firmware update for its My Cloud NAS devices, addressing a severe OS command injection vulnerability tracked as CVE-2025-30247.
The flaw, rated 9.3 (Critical) on the CVSS 4.0 scale, could allow remote attackers to execute arbitrary system commands on affected devices without authentication.
The issue was responsibly disclosed to Western Digital by a security researcher using the handle w1th0ut. It affects the user interface of My Cloud NAS systems running firmware versions prior to 5.31.108. The vulnerability is triggered by specially crafted HTTP POST requests, allowing attackers to remotely exploit the system without requiring user interaction or privileges.
According to the vendor's advisory, exploitation of this bug requires no authentication and no user interaction. The flaw essentially opens a door to full remote code execution (RCE), enabling attackers to run arbitrary commands on vulnerable NAS units, which is a worst-case scenario for devices that often store personal files, backups, or business-critical data.
Western Digital's My Cloud product line comprises a diverse range of NAS models, catering to consumers, small businesses, and home offices. These devices are known for offering centralized cloud storage and remote access features. Impacted models include My Cloud EX2 Ultra, EX4100, PR2100, PR4100, DL2100, DL4100, Mirror Gen 2, and the standard My Cloud units. All affected devices have received the security patch in firmware version 5.31.108, released on September 24, 2025.
The fix is part of Western Digital's routine firmware maintenance and is now available for download. The company recommends that users either enable automatic updates or manually install the update via the My Cloud dashboard. Manual update procedures involve downloading the correct firmware for the specific model and uploading it through the web interface, followed by a reboot of the device. WD has published detailed step-by-step instructions to ensure users complete the process safely.
If upgrading to a secure firmware version isn't possible at this time, users are advised to disable remote dashboard access to reduce the attack surface and restrict network access to My Cloud devices by using VLANs, firewalls, or VPNs.
Leave a Reply