Western Digital has released firmware updates for multiple My Cloud NAS models to patch a critical-severity vulnerability that could be exploited remotely to execute arbitrary system commands.
Tracked as CVE-2025-30247, the flaw is an OS command injection in the user interface of My Cloud and can be leveraged through specially crafted HTTP POST requests sent to vulnerable endpoints.
The vulnerability was reported to Western Digital by a security researcher using the alias “w1th0ut.” The storage device maker released firmware version 5.31.108 to address the issue that impacts all previous versions for the following models:
- My Cloud PR2100
- My Cloud PR4100
- My Cloud EX4100
- My Cloud EX2 Ultra
- My Cloud Mirror Gen 2
- My Cloud DL2100
- My Cloud EX2100
- My Cloud DL4100
- My Cloud WDBCTLxxxxxx-10
It is worth noting that two of the devices, My Cloud DL4100 and My Cloud DL2100, have reached end of support (EoS) and updates may not be available, as the security advisory from the company does not provide mitigation action for EoS products.
My Cloud is Western Digital’s network-attached storage (NAS) are typically used by small businesses, home offices, and individuals that want to store data on a personal cloud and access it from any device.
While not intended for use in critical or enterprise environments, they are popular among the general consumer audience for providing easy remote access to files via mobile apps or browsers, media streaming, and automated backups.
Exploitation of CVE-2025-30247 to run shell commands could result in unauthorized file access, modification, deletion, user enumeration, configuration changes, or even binary execution.
In the past, hackers have exploited similar flaws on NAS devices to harvest sensitive data, built botnets, use them as proxies, or deploy ransomware and then extort users.
My Cloud users should prioritize patching to 5.31.108 as soon as possible. If immediate action cannot be taken, users are recommended to take the device offline until they can apply the update.
Even if offline, My Cloud devices can still work as local storage centers in LAN mode, though files stored on Western Digital’s cloud service will not be available.
Users who have enabled automatic updates on their device settings should have received the update since September 23, 2025. Checking to ensure you’re running the latest version is recommended.
Manual updates are possible (instructions here) by sourcing the correct firmware image for your device model from here and then navigating to Settings > Firmware Update > Update From File > select the downloaded BIN file.
A reboot of the device will be required for the update to take effect, and the device must remain plugged in throughout the process to prevent data corruption.
.ia_ad {
background-color: #f0f6ff;
width: 95%;
max-width: 800px;
margin: 15px auto;
border-radius: 8px;
border: 1px solid #d6ddee;
display: flex;
align-items: stretch;
padding: 0;
overflow: hidden;
}
.ia_lef {
flex: 1;
max-width: 200px;
height: auto;
display: flex;
align-items: stretch;
}
.ia_lef a {
display: flex;
width: 100%;
height: 100%;
}
.ia_lef a img {
width: 100%;
height: 100%;
object-fit: cover;
border-radius: 8px 0 0 8px;
margin: 0;
display: block;
}
.ia_rig {
flex: 2;
padding: 10px;
display: flex;
flex-direction: column;
justify-content: center;
}
.ia_rig h2 {
font-size: 17px !important;
font-weight: 700;
color: #333;
line-height: 1.4;
font-family: Georgia, “Times New Roman”, Times, serif;
margin: 0 0 14px 0;
}
.ia_rig p {
font-weight: bold;
font-size: 14px;
margin: 0 0 clamp(6px, 2vw, 14px) 0;
}
.ia_button {
background-color: #FFF;
border: 1px solid #3b59aa;
color: black;
text-align: center;
text-decoration: none;
border-radius: 8px;
display: inline-block;
font-size: 16px;
font-weight: bold;
cursor: pointer;
padding: 10px 20px;
width: fit-content;
}
.ia_button a {
text-decoration: none;
color: inherit;
display: block;
}
@media (max-width: 600px) {
.ia_ad {
flex-direction: column;
align-items: center;
}
.ia_lef {
max-width: 100%;
}
.ia_lef a img {
border-radius: 8px 8px 0 0;
}
.ia_rig {
padding: 15px;
width: 100%;
}
.ia_button {
width: 100%;
margin: 0px auto;
}
}
The Security Validation Event of the Year: The Picus BAS Summit
Join the Breach and Attack Simulation Summit and experience the future of security validation. Hear from top experts and see how AI-powered BAS is transforming breach and attack simulation.
Don’t miss the event that will shape the future of your security strategy
Comments