Critical WD My Cloud bug allows remote command injection - Bleeping Computer

Western Digital has released critical firmware updates to address CVE-2025-30247, a severe command injection vulnerability affecting multiple My Cloud NAS models that allows remote attackers to execute arbitrary system commands.

The security flaw impacts nine My Cloud models and can be exploited through malicious HTTP POST requests to vulnerable endpoints. Successful exploitation could lead to unauthorized file access, data modification, user enumeration, or complete system compromise. The vulnerability poses significant risks as hackers have previously used similar NAS flaws to harvest sensitive data, build botnets, or deploy ransomware.

• Firmware version 5.31.108 patches the critical vulnerability across affected My Cloud devices
• Two end-of-support models (DL2100/DL4100) may not receive updates and require additional precautions
• Users should immediately update or take devices offline until patching is possible
• Automatic updates were rolled out starting September 23, 2025, but manual verification is recommended