- Western Digital patches critical RCE flaw CVE-2025-30247 in multiple My Cloud NAS models
- Vulnerability exploited via crafted HTTP POST requests targeting the My Cloud user interface
- End-of-life models won’t receive updates; users urged to patch or migrate to newer devices
Data storage giant Western Digital just fixed a critical-severity vulnerability that was discovered in multiple My Cloud NAS models.
In a security advisory, the company said it was tipped off about an OS command injection flaw in the My Cloud user interface, that could be abused through specially crafted HTTP POST requests sent to vulnerable devices.
The attack would grant the threat actors remote code execution (RCE) capabilities – it is tracked as CVE-2025-30247, and was given a severity score of 9.3/10 (critical). Here is a full list of the affected models:
My Cloud PR2100
My Cloud PR4100
My Cloud EX4100
My Cloud EX2 Ultra
My Cloud Mirror Gen 2
My Cloud DL2100
My Cloud EX2100
My Cloud DL4100
My Cloud WDBCTLxxxxxx-10
End of life
My Cloud DL4100 and My Cloud DL2100 are two models that have reached their end-of-life status, and as such will not be getting an update.
Users are advised to migrate to a newer model, and then apply the firmware patch to bring the device to version 5.31.108.
Default settings allow for automatic patch management, but Western Digital still urges users to double-check the version they are running.
Alternatively, they can take the device offline until they install the patch, but in that case, cloud service features will not be available.
The devices make a line of personal cloud storage solutions, used mostly for backing up multimedia and documents, streaming it to smart TVs and mobile devices, or sharing with other people.
My Cloud is primarily designed for personal use but there are some models (mostly those in the EX and PR series) that come with RAID support, multiple drive bays, and enhanced user management, which also makes them somewhat suitable for small offices or prosumer environments.
Via BleepingComputer