Critical Bug in WD My Cloud Allows Remote Command Injection
Western Digital has released firmware updates for multiple My Cloud NAS models to patch a critical vulnerability that could allow attackers to execute arbitrary commands remotely.
The flaw, tracked as CVE-2025-30247, is a command injection vulnerability in the My Cloud user interface. It can be exploited through specially crafted HTTP POST requests sent to vulnerable endpoints. The issue was reported to Western Digital by an independent security researcher known as w1th0ut.
Firmware Update Released
To address the bug, Western Digital has issued firmware version 5.31.108, which applies to all versions of the following models:
- My Cloud PR2100
- My Cloud PR4100
- My Cloud EX4100
- My Cloud EX2 Ultra
- My Cloud Mirror Gen 2
- My Cloud DL2100
- My Cloud EX2100
- My Cloud DL4100
- My Cloud WDBCTLxxxxxx-10
Two of these models—the My Cloud DL4100 and My Cloud DL2100—have already reached end-of-life status. According to Western Digital’s security bulletin, no remediation will be provided for unsupported devices.
Impact of the Vulnerability
Successful exploitation of CVE-2025-30247 could enable attackers to:
- Gain unauthorized access to stored files
- Modify or delete data
- Enumerate user accounts
- Change system configurations
- Execute arbitrary binaries on the NAS device
Recommended Actions
Western Digital advises all My Cloud owners to update to firmware version 5.31.108 immediately.
- Users with automatic updates enabled should have received the patch beginning September 23, 2025.
- Users relying on manual updates should verify that their device is running the latest firmware.
- If updating is not immediately possible, administrators are urged to disconnect the device from the internet until the patch can be applied.
