Western Digital has released firmware updates to address a critical-severity vulnerability in multiple My Cloud Network Attached Storage (NAS) devices that could allow remote attackers to execute arbitrary system commands without authentication. The vulnerability, tracked as CVE-2025-30247, affects My Cloud OS 5 devices and carries a CVSS score of 9.3, indicating significant risk to affected systems1, 6. Security researcher “w1th0ut” discovered and responsibly disclosed the flaw, which enables complete system compromise through specially crafted HTTP POST requests1, 3.
This latest security issue continues a concerning pattern of command injection vulnerabilities in Western Digital’s consumer storage products, with similar flaws documented as far back as 20159. The company has addressed these issues through firmware version 5.31.108, released on September 24, 2025, though some older models may not receive updates due to end-of-support status1, 3.
Technical Analysis and Attack Vector
CVE-2025-30247 represents a critical remote command injection vulnerability in the user interface of Western Digital My Cloud OS 5 devices. The flaw enables unauthenticated remote attackers to execute arbitrary system commands through manipulation of HTTP POST requests to the device’s web interface1, 3, 6. This attack vector requires no user interaction or existing privileges on the target system, making it particularly dangerous for devices exposed to the internet. The vulnerability’s critical nature stems from its combination of remote exploitability, lack of authentication requirements, and the complete system access it grants to successful attackers.
The command injection mechanism allows threat actors to achieve full remote code execution, potentially leading to data theft, ransomware deployment, data modification, or complete system takeover1, 3. Security vendors have already begun monitoring for exploitation attempts, with Fortinet publishing intrusion prevention signatures specifically targeting this vulnerability5. The rapid response from security vendors indicates concern about potential widespread exploitation of this vulnerability in the wild.
Affected Products and Remediation Steps
The vulnerability impacts multiple My Cloud OS 5 devices running firmware versions prior to 5.31.108. Affected models include the My Cloud EX2 Ultra, EX4100, PR2100, PR4100, DL2100, DL4100, Mirror Gen 2, and standard My Cloud units (WDBCTLxxxxxx-10)1, 3. Notably, the My Cloud DL4100 and DL2100 have reached end-of-support status, which may complicate patch availability for these specific models3. Organizations relying on these end-of-life devices should consider replacing them with supported alternatives.
Western Digital has made firmware version 5.31.108 available through both automatic and manual update channels. Devices with automatic updates enabled should have already received the patch, though users should verify their current firmware version1, 3. For manual updates, administrators can download the appropriate BIN file from Western Digital’s support site and apply it through the My Cloud dashboard via Settings > Firmware Update > Update From File. The company provides a detailed step-by-step guide for this process, and a device reboot is required after applying the update1, 3.
Historical Context of My Cloud Vulnerabilities
CVE-2025-30247 represents the latest in a series of command injection vulnerabilities affecting Western Digital’s My Cloud product line. A particularly illustrative case from 2022, CVE-2022-22991, was independently discovered and exploited by both the IoT Inspector Research Lab (ONEKEY) and Spider Labs during the Pwn2Own Austin 2021 hacking competition10. This vulnerability existed in the `ConnectivityService` binary, which ran on boot and every 300 seconds to check cloud connectivity.
The technical breakdown of CVE-2022-22991 reveals a classic command injection pattern. The service used `wget` to fetch a health check file from an unencrypted HTTP endpoint, then passed the unsanitized output to the `analyticlog` utility through a `system()` call10. The vulnerable code, as reconstructed from Ghidra analysis, appeared as:
sprintf(cmd_buf,"%s:HTTP-response:\"%s\"", "analyticlog -l NOTICE -s ConnectivityService -m checkCloudConnect string", content); // 'content' contains unsanitized wget output system(cmd_buf);
Attackers could exploit this flaw through a Man-in-the-Middle attack, using ARP spoofing to hijack DNS resolution and serve a malicious HTTP response containing injected commands10. The ONEKEY team demonstrated this using `scapy` to implement ARP spoofing, DNS spoofing, and ICMP reply spoofing, forcing the device to contact their malicious server and trigger the vulnerability. This historical example underscores the persistent pattern of insecure coding practices in the My Cloud ecosystem.
Mitigation Strategies and Security Recommendations
For organizations unable to immediately apply the firmware update, several interim mitigation strategies can reduce attack surface. Disabling remote dashboard access represents the most effective temporary measure, as the vulnerability requires access to the device’s web interface1. Additionally, restricting network access to the device using firewalls, VLANs, or VPNs can prevent external attackers from reaching vulnerable components. As a last resort, taking the device offline until it can be updated will eliminate remote exploitation risk while maintaining local storage functionality3.
Beyond immediate patching, organizations should consider broader security implications for internet-connected storage devices. Network segmentation remains crucial for limiting lateral movement in case of compromise, while regular firmware updates should be incorporated into standard maintenance procedures. Monitoring solutions should be configured to detect unusual command execution or network traffic patterns from these devices, and security teams should maintain awareness of the historical vulnerability patterns in consumer-grade NAS products.
The recurrence of similar command injection vulnerabilities in Western Digital’s My Cloud products over multiple years suggests systemic issues in secure development practices. From the 2015 vulnerabilities detailed by VerSprite9 to the 2019 fixes in advisory WDC-190027 and the recent CVE-2024-22170 buffer overflow8, the pattern indicates persistent challenges in input validation and command execution safety. Organizations relying on these devices should implement defense-in-depth strategies that assume additional vulnerabilities may be discovered in the future.
The discovery and patching of CVE-2025-30247 highlights the ongoing security challenges facing network-attached storage devices, particularly those designed for consumer and small business use. While the immediate threat can be mitigated through firmware updates, the historical context suggests similar vulnerabilities may continue to emerge in these products. Security teams should maintain updated asset inventories that include all network-connected storage devices and establish processes for monitoring security advisories from storage vendors. The persistence of command injection flaws across multiple product generations and firmware versions underscores the importance of defense-in-depth strategies that don’t rely solely on vendor patches for protection.
