• Hello and welcome! Register to enjoy full access and benefits:

    • Advertise in the Marketplace section for free.
    • Get more visibility with a signature link.
    • Company/website listings.
    • Ask & answer queries.
    • Much more...

    Register here or log in if you're already a member.

  • 🎉 WHV has crossed 14,000 monthly views and 157,000 clicks per month, as per Google Analytics! Thank you for your support! 🎉

Critical WD My Cloud Vulnerability Allows Remote Command Injection Attack

johny899

johny899

New Member
Content Writer
Messages
460
Reaction score
3
Points
23
Balance
$519.4USD
Consider your WD My Cloud box at home. It stores your files, movies, or backups, correct? Now, imagine a hacker gaining access to it and executing commands as if they were you. Very frightening, isn't it? But that’s precisely what this new bug permits.

I have used a My Cloud before and always considered it secure since it’s behind a home network. But, with this bug, it’s not nearly as secure.

What is the bug?​

  • The bug is CVE-2025-30247.
  • It is a command injection vulnerability, meaning hackers can send fake requests to your device, causing it to execute dangerous commands.
  • Attacking remotely through the internet is possible; you don’t even have to be connected to the same Wi-Fi network as the victim.

Which devices might have issues?​

Here’s a list of devices that could be affected:

  • My Cloud PR2100
  • My Cloud PR4100
  • My Cloud EX4100
  • My Cloud EX2 Ultra
  • My Cloud Mirror Gen 2
  • My Cloud DL2100
  • My Cloud EX2100
  • My Cloud DL4100
  • My Cloud WDBCTLxxxxxx-10
The bad news? The DL2100 and DL4100 are not supported. So WD will no longer provide fixes.

What can hackers do?​

With this bug, hackers can:

  • Steal, change, or delete your files
  • See your user accounts
  • Change system settings
  • Run any program they want
In other words, take full control of your device.

What has WD Done?​

Western Digital has already pushed out a fix. The fix is firmware 5.31.108 and began rolling out on September 23, 2025.

How to Update Manually​

  • Download the appropriate firmware file for your model.
  • Go to your My Cloud’s settings then Firmware update and Update from file.
  • Select the file and allow the device to reboot.
Do not unplug the device during the update or the device may break.

If you have one of the older EoS models (like the DL2100 or DL4100), there is no patch. Your options are to either take the device offline or replace it.

What should be done now?​

  • Update your My Cloud, if your device is supported.
  • If you can’t update at this time, at least unplug it from the internet. There still may be ample but limited functionality to use on local wi-fi only, but not with connecting to a cloud.
  • If your My Cloud is supported past update capacity, it is safer to buy a new device or build a homemade NAS.

My own take​

Bugs like this make me remember why I don’t rely on a NAS to keep my only copy of the files. Letting hackers have full access and control is something that isn't taken lightly. Personally, if I had a My Cloud device, I would update on that date of recent news or even move my files and device elsewhere.
 
You must log in or register to reply here.

Support / Help Desk

Blog - (WHV)

Hosting Reviews

Navigation

  1. WHV Forums
    1. WHV - Announcements
    2. General Discussion
    3. Introduction
    4. Web Hosting Forum
    5. Help
    6. News
  2. Marketplace
    1. VPS Offers
    2. Dedicated Server Offers
    3. Shared Hosting Offers
    4. Reseller Hosting Offers
    5. Other Offers (Not Hosting)
    6. Domains
  3. Web Hosting Discussion
    1. Hosting Software & Control Panels
    2. Other Hosting Tutorials
    3. Reviews
    4. Articles
    5. Offtopic
  4. Web Hosting Tutorials
    1. cPanel Tutorials
    2. WHM Reseller Tutorials
    3. DirectAdmin Tutorials
    4. Blesta Tutorials
    5. WHMCS Tutorials
  5. Hosting Extensions
    1. WHMCS Market
    2. Blesta Market
    3. HostBill Market
Top