Western Digital has released firmware updates for several My Cloud NAS models. The update fixes a critical vulnerability that could be used for remote execution of arbitrary commands.
The vulnerability has been assigned identifier CVE-2025-30247 and is a command injection issue in the My Cloud user interface. The bug can be exploited via specially crafted HTTP POST requests sent to vulnerable endpoints. Western Digital was notified of the vulnerability by a security researcher using the pseudonym w1th0ut.
As a result, the manufacturer released firmware version 5.31.108 to address the issue, which affects all versions of the models:
- My Cloud PR2100;
- My Cloud PR4100;
- My Cloud EX4100;
- My Cloud EX2 Ultra;
- My Cloud Mirror Gen 2;
- My Cloud DL2100;
- My Cloud EX2100;
- My Cloud DL4100;
- My Cloud WDBCTLxxxxxx-10.
It is worth noting that two devices on this list (My Cloud DL4100 and My Cloud DL2100) have already reached end of support, so updates may be unavailable for them. According to the company’s security bulletin, no remediation measures are provided for legacy products.
Exploitation of CVE-2025-30247 to execute shell commands can lead to unauthorized access to files, their modification, deletion, user enumeration, configuration changes, or even the execution of binaries on the vulnerable NAS.
My Cloud device owners are advised to update to version 5.31.108 as soon as possible. If an immediate update is not possible, it is recommended to disconnect the device from the network until the patch is applied.
Users with automatic updates enabled should have received a patch after September 23, 2025. It is recommended to ensure that the device is running the latest firmware version and, if necessary, update the device manually.