Western Digital disclosed a critical **remote code execution (RCE) vulnerability (CVE-2025-30247)** in the firmware of its **My Cloud NAS devices**, affecting models like My Cloud PR2100, PR4100, EX2 Ultra, and others running firmware versions prior to **v5.31.108**. The flaw, an **OS command injection** in the user interface, allows unauthenticated attackers to execute arbitrary system commands via a crafted **HTTP POST request** without user interaction.A successful exploit grants full system control, enabling attackers to **access, encrypt, delete, or modify all stored data**, including backups, project files, and sensitive documents. The compromised device could also serve as a **launchpad for lateral movement** within the same network, risking further breaches of connected systems.While no in-the-wild exploitation has been reported, the vulnerability poses a severe risk to **home and small business users** relying on these devices for storage and backups. Western Digital urged immediate firmware updates, with automatic updates already applied to connected devices. Failure to patch could lead to **data loss, ransomware deployment, or network-wide compromise** if exploited by threat actors.
Source: https://www.helpnetsecurity.com/2025/09/30/western-digital-my-cloud-nas-cve-2025-30247/
TPRM report: https://www.rankiteo.com/company/western-digital
"id": "wes5632056093025",
"linkid": "western-digital",
"type": "Vulnerability",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Users of My Cloud NAS devices '
'with firmware prior to '
'v5.31.108',
'industry': 'Data Storage / Technology',
'location': 'Global (HQ: San Jose, California, USA)',
'name': 'Western Digital',
'size': 'Large (Publicly Traded)',
'type': 'Corporation'}],
'attack_vector': 'Network (HTTP POST request)',
'customer_advisories': ['Users urged to update firmware via notifications and '
'public communications'],
'data_breach': {'data_encryption': ['Possible unauthorized encryption by '
'attackers'],
'data_exfiltration': ['Possible if exploited'],
'personally_identifiable_information': ['Possible (if stored '
'by users)'],
'sensitivity_of_data': ['Potentially high (depends on '
'user-stored content)'],
'type_of_data_compromised': ['Potential: All data stored on '
'affected NAS devices '
'(documents, backups, project '
'files, etc.)']},
'date_publicly_disclosed': '2024-09-23',
'date_resolved': '2024-09-23',
'description': 'Western Digital has fixed a critical remote code execution '
'vulnerability (CVE-2025-30247) in the firmware of its My '
'Cloud network-attached storage (NAS) devices. The '
'vulnerability, an OS command injection flaw in the firmware’s '
'user interface, allows remote attackers to execute arbitrary '
'system commands via a specially crafted HTTP POST request '
'without prior authentication or user interaction. Successful '
'exploitation could lead to full system compromise, including '
'unauthorized access, encryption, deletion, or modification of '
'stored data, as well as potential lateral movement to other '
'systems on the same network. Affected devices include My '
'Cloud models running firmware prior to v5.31.108, released on '
'September 23. Western Digital urges users to update their '
'firmware immediately to mitigate the risk.',
'impact': {'brand_reputation_impact': ['Potential reputational damage if '
'exploited in the wild'],
'data_compromised': ['Potential full access to stored data (if '
'exploited)'],
'operational_impact': ['Potential data encryption, deletion, or '
'modification; lateral movement risk to '
'other network systems'],
'systems_affected': ['My Cloud PR2100',
'My Cloud PR4100',
'My Cloud EX2 Ultra',
'My Cloud EX4100',
'My Cloud Mirror Gen 2',
'My Cloud EX2100',
'My Cloud DL2100',
'My Cloud DL4100',
'My Cloud WDBCTLxxxxxx-10']},
'initial_access_broker': {'backdoors_established': ['Potential if exploited'],
'entry_point': ['Firmware UI (OS command injection '
'via HTTP POST request)'],
'high_value_targets': ['Stored data on NAS devices; '
'potential pivot to other '
'network systems']},
'investigation_status': 'Resolved (Patch released; no known exploitation in '
'the wild)',
'lessons_learned': 'Proactive vulnerability disclosure and rapid patching are '
'critical for IoT/NAS devices, which often store sensitive '
'data and can serve as entry points for broader network '
'compromises. Automatic firmware updates can significantly '
'reduce exposure windows.',
'post_incident_analysis': {'corrective_actions': ['Released patched firmware '
'(v5.31.108) to address the '
'vulnerability'],
'root_causes': ['OS command injection '
'vulnerability in firmware UI due '
'to insufficient input '
'validation']},
'ransomware': {'data_encryption': ['Potential (if exploited for ransomware)'],
'data_exfiltration': ['Potential (if exploited)']},
'recommendations': ['Immediately update My Cloud NAS devices to firmware '
'v5.31.108 or later.',
'Enable automatic firmware updates where possible.',
'Isolate NAS devices on separate network segments to '
'limit lateral movement risk.',
'Monitor for unusual access patterns or unauthorized '
'commands on NAS devices.',
'Regularly audit stored data sensitivity and implement '
'backup strategies to mitigate ransomware risks.'],
'references': [{'source': 'Western Digital Security Advisory'}],
'response': {'communication_strategy': ['Public advisory, firmware update '
'notifications, email alerts for '
'subscribers'],
'containment_measures': ['Firmware update (v5.31.108) released '
'to patch vulnerability'],
'incident_response_plan_activated': True,
'remediation_measures': ['Urgent advisory for users to update '
'firmware; automatic updates enabled '
'for connected devices'],
'third_party_assistance': ['Vulnerability privately reported by '
'a researcher']},
'stakeholder_advisories': ['Public advisory issued; firmware update '
'notifications sent to users'],
'title': 'Critical Remote Code Execution Vulnerability in Western Digital My '
'Cloud NAS Devices (CVE-2025-30247)',
'type': ['Vulnerability', 'Remote Code Execution (RCE)'],
'vulnerability_exploited': 'CVE-2025-30247 (OS Command Injection in Firmware '
'UI)'}