Full Report
Western Digital has released firmware updates for multiple My Cloud NAS models to patch a critical-severity vulnerability that could be exploited remotely to execute arbitrary system commands. [...]
Analysis Summary
# Vulnerability: Critical WD My Cloud OS Command Injection
## CVE Details
- CVE ID: CVE-2025-30247
- CVSS Score: Critical (Implied, based on "critical-severity vulnerability" allowing remote command execution)
- CWE: OS Command Injection
## Affected Systems
- Products: Western Digital My Cloud NAS models:
- My Cloud PR2100
- My Cloud PR4100
- My Cloud EX4100
- My Cloud EX2 Ultra
- My Cloud Mirror Gen 2
- My Cloud DL2100 (End of Support)
- My Cloud EX2100
- My Cloud DL4100 (End of Support)
- My Cloud WDBCTLxxxxxx-10
- Versions: All previous versions prior to firmware 5.31.108
- Configurations: Affects devices running My Cloud OS 5 that have not been updated.
## Vulnerability Description
This is an OS Command Injection vulnerability present in the user interface of the affected My Cloud devices. It can be leveraged by sending specially crafted HTTP POST requests to vulnerable endpoints, allowing an unauthenticated remote attacker to execute arbitrary system commands on the underlying operating system.
## Exploitation
- Status: Details on exploitation status are not explicitly provided, but the severity implies high risk.
- Complexity: Likely Low, given the mechanism involves crafted HTTP POST requests.
- Attack Vector: Network
## Impact
- Confidentiality: High (Could lead to unauthorized file access, user enumeration)
- Integrity: High (Could lead to configuration changes, file modification/deletion)
- Availability: High (Could lead to binary execution, ransomware deployment, or device misconfiguration)
## Remediation
### Patches
- Firmware version **5.31.108** addresses the vulnerability for supported models.
### Workarounds
- Users are strongly recommended to take the device **offline** (disconnect from the network) until the update can be applied. Devices can still function as local storage in LAN mode.
## Detection
- **Indicators of Compromise:** Unexpected system behavior, unauthorized user creation, unusual outbound network connections, or evidence of ransomware/botnet activity.
- **Detection methods and tools:** Monitoring outbound network traffic originating from the NAS device and analyzing web traffic logs for suspicious POST requests targeting the UI endpoints.
## References
- Vendor Advisory/Firmware Release: hxxps://www.westerndigital.com/support/product-security/wdc-25006-western-digital-my-cloud-os-5-firmware-5-31-108
- Manual Update Instructions: hxxps://support-en.wd.com/app/answers/detailweb/a_id/31757/~/update-firmware-on-my-cloud-os-5-automatically-or-manually
- Firmware Information Portal: hxxps://os5releasenotes.mycloud.com/