CVE-2025-30247: Critical Command Injection Flaw in Western Digital My Cloud NAS Devices

Western Digital (WD) has patched a critical vulnerability in its My Cloud NAS platforms that could allow remote attackers to gain full control over affected devices. The flaw, tracked as CVE-2025-30247, carries a CVSS score of 9.4 and is one of the most severe security issues to affect the storage line in recent years.

According to WD’s advisory, “An OS command injection vulnerability in user interface in Western Digital My Cloud firmware prior to 5.31.108 on NAS platforms allows remote attackers to execute arbitrary system commands via a specially crafted HTTP POST.”

This means a remote attacker, without needing physical access, can craft malicious requests to execute commands directly on the device’s underlying operating system—potentially leading to data theft, device compromise, or network pivoting.

For organizations and home users relying on My Cloud for file storage and backup, exploitation could:

• Grant attackers root-level control of NAS devices.
• Expose sensitive files stored on the device.
• Allow attackers to use the compromised NAS as a launchpad for further attacks within the local network.

With NAS devices often accessible remotely for convenience, the attack surface is broad.

The fixed version is firmware 5.31.108. Western Digital urges users to update immediately. The advisory stresses: “My Cloud Firmware 5.31.108 includes updates to help improve the security of your My Cloud devices. To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.”

Related Posts:

• Western Digital’s WD Discovery App Exposed to Code Execution Vulnerability
• Western Digital (WD) My Cloud EX2 Storage Device Default Configuration Leaked File
• A Local Privilege Escalation flaw exists on Western Digital My Cloud
• Western Digital ‘My Cloud’ Storage Devices exist secret hard-coded backdoor
• Western Digital Cyberattack: Unveiling the Stolen Data and Fallout

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.