Western Digital disclosed a critical OS command injection vulnerability (CVE-2025-30247) in multiple My Cloud NAS models, including PR2100, PR4100, EX4100, EX2 Ultra, Mirror Gen 2, DL2100, EX2100, DL4100, and WDBCTLxxxxxx-10. The flaw allows remote attackers to execute arbitrary system commands via crafted HTTP POST requests, potentially leading to unauthorized file access, modification, deletion, user enumeration, or binary execution. While primarily affecting small businesses, home offices, and consumers, exploitation could enable data theft, botnet recruitment, proxy misuse, or ransomware deployment. Two models (DL4100 and DL2100) are end-of-support (EoS), leaving them unpatched. Users are urged to update to firmware 5.31.108 immediately or disconnect devices until patched. Automatic updates were rolled out on September 23, 2025, but manual updates are also available. Failure to patch risks severe compromise of stored data, including potential lateral movement into connected networks or ransomware attacks targeting backups and sensitive files.
TPRM report: https://www.rankiteo.com/company/western-digital
"id": "wes5892358093025",
"linkid": "western-digital",
"type": "Vulnerability",
"date": "9/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Users of My Cloud NAS devices '
'(small businesses, home '
'offices, individuals)',
'industry': 'Data Storage/Technology',
'location': 'Global',
'name': 'Western Digital',
'type': 'Corporation'}],
'attack_vector': 'Network (Remote)',
'customer_advisories': 'Users notified via device updates and public channels',
'data_breach': {'data_exfiltration': 'Possible (historical exploits on NAS '
'devices include data harvesting)',
'personally_identifiable_information': 'Possible (if stored '
'on device)',
'sensitivity_of_data': ['Potentially high (personal files, '
'backups, media)'],
'type_of_data_compromised': ['Potential: Stored files '
'(personal/cloud data)',
'User credentials',
'Configuration data']},
'date_publicly_disclosed': '2025-09-23',
'description': 'Western Digital has released firmware updates for multiple My '
'Cloud NAS models to patch a critical-severity OS command '
'injection vulnerability (CVE-2025-30247). The flaw, reported '
"by security researcher 'w1th0ut,' allows remote attackers to "
'execute arbitrary system commands via crafted HTTP POST '
'requests to vulnerable endpoints. Exploitation could lead to '
'unauthorized file access, modification, deletion, user '
'enumeration, configuration changes, or binary execution. '
'Affected models include My Cloud PR2100, PR4100, EX4100, EX2 '
'Ultra, Mirror Gen 2, DL2100, EX2100, DL4100, and '
'WDBCTLxxxxxx-10. Users are urged to update to firmware '
'version 5.31.108 immediately or take devices offline if '
'patching is delayed. Two models (DL4100 and DL2100) are '
'end-of-support (EoS) and may lack updates.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'vulnerability in consumer-facing '
'product',
'data_compromised': ['Potential unauthorized file access',
'Modification',
'Deletion',
'User enumeration'],
'operational_impact': ['Potential unauthorized configuration '
'changes',
'Binary execution',
'Loss of cloud access if taken offline'],
'systems_affected': ['My Cloud PR2100',
'My Cloud PR4100',
'My Cloud EX4100',
'My Cloud EX2 Ultra',
'My Cloud Mirror Gen 2',
'My Cloud DL2100',
'My Cloud EX2100',
'My Cloud DL4100',
'My Cloud WDBCTLxxxxxx-10']},
'initial_access_broker': {'data_sold_on_dark_web': 'Potential (based on '
'historical NAS '
'exploitation trends)',
'entry_point': 'Vulnerable HTTP POST endpoints in '
'My Cloud UI',
'high_value_targets': ['Stored files',
'User credentials',
'Device configurations']},
'investigation_status': 'Resolved (Patch released)',
'lessons_learned': ['Critical importance of timely patching for '
'consumer-facing IoT/NAS devices',
'Need for clear end-of-support (EoS) mitigation '
'strategies',
'Risks of remote command execution in network-attached '
'storage systems'],
'post_incident_analysis': {'corrective_actions': ['Released firmware patch '
'(5.31.108) for supported '
'devices',
'Public disclosure and '
'patching instructions',
'Recommendation to isolate '
'or replace EoS devices'],
'root_causes': ['OS command injection '
'vulnerability in user interface',
'Insufficient input validation for '
'HTTP POST requests',
'Lack of mitigation for '
'end-of-support (EoS) devices']},
'recommendations': ['Immediately update My Cloud NAS devices to firmware '
'5.31.108',
'Take unpatched devices offline to prevent exploitation',
'Disable remote access if patching is delayed',
'Monitor for unauthorized access or suspicious activity',
'Consider replacing end-of-support (EoS) devices (DL2100, '
'DL4100)',
'Enable automatic updates for future vulnerabilities'],
'references': [{'source': 'Western Digital Security Advisory'},
{'source': 'Firmware Update Instructions'},
{'source': 'Manual Update Firmware Downloads'}],
'response': {'communication_strategy': ['Public security advisory',
'Update instructions for manual '
'patching'],
'containment_measures': ['Firmware update (5.31.108)',
'Recommendation to take devices offline '
'if unpatched'],
'incident_response_plan_activated': True,
'recovery_measures': ['Manual update instructions provided',
'Automatic updates enabled since '
'2025-09-23'],
'remediation_measures': ['Patching vulnerable endpoints',
'Disabling remote access until patched'],
'third_party_assistance': ["Security researcher 'w1th0ut' "
'(vulnerability reporter)']},
'stakeholder_advisories': 'Public advisory issued with patching instructions',
'title': 'Western Digital My Cloud NAS Critical OS Command Injection '
'Vulnerability (CVE-2025-30247)',
'type': ['Vulnerability', 'OS Command Injection'],
'vulnerability_exploited': 'CVE-2025-30247 (OS Command Injection in My Cloud '
'UI)'}