OS Command Injection Vulnerability in Western Digital My Cloud Firmware
CVE-2025-30247

9.3CRITICAL

Key Information:

Vendor

Western Digital

Status
My Cloud
Vendor
CVE Published:
29 September 2025

Badges

πŸ“ˆ Score: 141πŸ“° News Worthy

What is CVE-2025-30247?

CVE-2025-30247 is an OS command injection vulnerability found in the user interface of the firmware for Western Digital My Cloud NAS platforms, specifically prior to version 5.31.108. This vulnerability enables remote attackers to execute arbitrary system commands by sending specially crafted HTTP POST requests. The My Cloud device is commonly used for personal and small business cloud storage, providing users with a means to store, manage, and share files over the internet. The existence of this vulnerability poses serious risks to organizations, as unauthorized command execution could lead to system compromise, data manipulation, or unauthorized access to sensitive information stored on the device.

Potential impact of CVE-2025-30247

  1. Unauthorized Access and Control: Attackers can exploit the vulnerability to gain control over the affected device, allowing them to manipulate system processes, access confidential data, or misconfigure security settings.

  2. Data Breaches: The ability to execute arbitrary commands could lead to the exfiltration of sensitive data, resulting in significant privacy and compliance violations for organizations relying on these devices for storage.

  3. Operational Disruption: Exploitation of this vulnerability could lead to service interruptions or downtime, severely impacting business operations and productivity, particularly for organizations that rely on My Cloud for efficient file management and access.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

My Cloud 0 < 5.31.108

News Articles

favicon imageBleepingComputer

Critical WD My Cloud bug allows remote command injection

Western Digital has released firmware updates for multiple My Cloud NAS models to patch a critical-severity vulnerability that could be exploited remotely to execute arbitrary system commands.

References

https://www.westerndigital.com/support/product-security/w...

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • πŸ“°

    First article discovered by BleepingComputer

  • Vulnerability published

  • Vulnerability Reserved

Credit

Western Digital would like to thank w1th0ut for reporting this
JSON
.