Critical Command Injection Vulnerability in Western Digital My Cloud NAS Devices
Summary
Hide ▲
Show ▼
Western Digital has released firmware updates to address a critical-severity OS command injection vulnerability (CVE-2025-30247) affecting multiple My Cloud NAS models. The flaw allows remote attackers to execute arbitrary system commands through specially crafted HTTP POST requests. The vulnerability impacts several models, including My Cloud PR2100, PR4100, EX4100, EX2 Ultra, Mirror Gen 2, DL2100, EX2100, DL4100, and WDBCTLxxxxxx-10. Users are advised to update to firmware version 5.31.108 to mitigate the risk. Two models, My Cloud DL4100 and DL2100, have reached end of support and may not receive updates.
Timeline
-
30.09.2025 18:07 1 articles · 9h ago
Critical Command Injection Vulnerability in Western Digital My Cloud NAS Devices
Western Digital has released firmware updates to address a critical-severity OS command injection vulnerability (CVE-2025-30247) affecting multiple My Cloud NAS models. The flaw allows remote attackers to execute arbitrary system commands through specially crafted HTTP POST requests. The vulnerability impacts several models, including My Cloud PR2100, PR4100, EX4100, EX2 Ultra, Mirror Gen 2, DL2100, EX2100, DL4100, and WDBCTLxxxxxx-10. Users are advised to update to firmware version 5.31.108 to mitigate the risk. Two models, My Cloud DL4100 and DL2100, have reached end of support and may not receive updates.
Show sources
- Critical WD My Cloud bug allows remote command injection — www.bleepingcomputer.com — 30.09.2025 18:07
Information Snippets
-
The vulnerability, CVE-2025-30247, is an OS command injection flaw in the user interface of My Cloud.
First reported: 30.09.2025 18:071 source, 1 articleShow sources
- Critical WD My Cloud bug allows remote command injection — www.bleepingcomputer.com — 30.09.2025 18:07
-
The flaw can be exploited through specially crafted HTTP POST requests to vulnerable endpoints.
First reported: 30.09.2025 18:071 source, 1 articleShow sources
- Critical WD My Cloud bug allows remote command injection — www.bleepingcomputer.com — 30.09.2025 18:07
-
The vulnerability was reported by a security researcher using the alias 'w1th0ut'.
First reported: 30.09.2025 18:071 source, 1 articleShow sources
- Critical WD My Cloud bug allows remote command injection — www.bleepingcomputer.com — 30.09.2025 18:07
-
Firmware version 5.31.108 addresses the issue for all affected models.
First reported: 30.09.2025 18:071 source, 1 articleShow sources
- Critical WD My Cloud bug allows remote command injection — www.bleepingcomputer.com — 30.09.2025 18:07
-
My Cloud devices are typically used by small businesses, home offices, and individuals for personal cloud storage and remote access.
First reported: 30.09.2025 18:071 source, 1 articleShow sources
- Critical WD My Cloud bug allows remote command injection — www.bleepingcomputer.com — 30.09.2025 18:07
-
Exploitation could result in unauthorized file access, modification, deletion, user enumeration, configuration changes, or binary execution.
First reported: 30.09.2025 18:071 source, 1 articleShow sources
- Critical WD My Cloud bug allows remote command injection — www.bleepingcomputer.com — 30.09.2025 18:07
-
Users should update to the latest firmware version or take the device offline until the update can be applied.
First reported: 30.09.2025 18:071 source, 1 articleShow sources
- Critical WD My Cloud bug allows remote command injection — www.bleepingcomputer.com — 30.09.2025 18:07
-
Automatic updates were pushed starting September 23, 2025.
First reported: 30.09.2025 18:071 source, 1 articleShow sources
- Critical WD My Cloud bug allows remote command injection — www.bleepingcomputer.com — 30.09.2025 18:07
-
Manual updates require downloading the correct firmware image and navigating to Settings > Firmware Update > Update From File.
First reported: 30.09.2025 18:071 source, 1 articleShow sources
- Critical WD My Cloud bug allows remote command injection — www.bleepingcomputer.com — 30.09.2025 18:07