WD patches NAS security flaw which could have allowed full takeover

News
By published

Multiple versions are affected, WD warns

Representational image of cloud computing.
Image Credit: Shutterstock (Image credit: Everything Possible / Shutterstock)
  • Western Digital patches critical RCE flaw CVE-2025-30247 in multiple My Cloud NAS models
  • Vulnerability exploited via crafted HTTP POST requests targeting the My Cloud user interface
  • End-of-life models won’t receive updates; users urged to patch or migrate to newer devices

Data storage giant Western Digital just fixed a critical-severity vulnerability that was discovered in multiple My Cloud NAS models.

In a security advisory, the company said it was tipped off about an OS command injection flaw in the My Cloud user interface, that could be abused through specially crafted HTTP POST requests sent to vulnerable devices.

The attack would grant the threat actors remote code execution (RCE) capabilities - it is tracked as CVE-2025-30247, and was given a severity score of 9.3/10 (critical). Here is a full list of the affected models:

My Cloud PR2100
My Cloud PR4100
My Cloud EX4100
My Cloud EX2 Ultra
My Cloud Mirror Gen 2
My Cloud DL2100
My Cloud EX2100
My Cloud DL4100
My Cloud WDBCTLxxxxxx-10

End of life

My Cloud DL4100 and My Cloud DL2100 are two models that have reached their end-of-life status, and as such will not be getting an update.

Users are advised to migrate to a newer model, and then apply the firmware patch to bring the device to version 5.31.108.

Default settings allow for automatic patch management, but Western Digital still urges users to double-check the version they are running.

Alternatively, they can take the device offline until they install the patch, but in that case, cloud service features will not be available.

The devices make a line of personal cloud storage solutions, used mostly for backing up multimedia and documents, streaming it to smart TVs and mobile devices, or sharing with other people.

My Cloud is primarily designed for personal use but there are some models (mostly those in the EX and PR series) that come with RAID support, multiple drive bays, and enhanced user management, which also makes them somewhat suitable for small offices or prosumer environments.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.