Western Digital patches potentially dangerous security flaw, so update now

Concept art representing cybersecurity principles
Nytt DDoS-rekord (Image credit: Shutterstock / ZinetroN)

Western Digital has patched a potentially dangerous flaw found in the firmware of some of its network-attached storage devices (NAS).

In a press release, Western Digital said that a cybersecurity researcher from Positive Technologies, Nikita Abramov, discovered a high-severity flaw in its NAS devices which could allow threat actors to run arbitrary code remotely, steal data, and breach confidential information. 

The flaw is tracked as CVE-2023-22815, and holds a severity score of 8.8. It was discovered in the firmware of My Cloud OS 5, v5.23.114, software used by a number of WD devices, such as My Cloud PR2100, My Cloud PR4100, My Cloud EX4100, My Cloud EX2 Ultra, My Cloud Mirror G2, and others.

Dangerous scenario

“The most dangerous scenario is a complete seizure of control over NAS. All further steps depend on the attacker’s objectives: stealing, modifying, or completely removing data, and possibly deploying malware,” commented Nikita Abramov. 

He further explained that the flaw was most likely introduced with new features that weren’t analyzed properly: “The vulnerability is likely caused by adding new functionality to NAS without proper security checks. Other similar parts of the web interface (that could be used for command injection) filtered and checked the received data, preventing cyberattacks from happening,” Abramov concluded.  

Further in the press release, WD said that there are currently more than 2,400 NAS devices available on the global network, with the majority being in Germany (460), the US (310), Italy (257), the UK (131), and South Korea (125).

To address the issue, users should install the updated My Cloud OS 5 v5.26.300 firmware on all affected devices. The full list of vulnerable endpoints can be found on this link.

NAS devices are a popular target among cybercriminals. QNAP’s NAS hardware, for example, has been targeted multiple times over the last three years. 

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.