Western Digital has released firmware version 5.31.108 for My Cloud network-attached storage (NAS) devices to remediate CVE-2025-30247, a critical command injection vulnerability in the web-based administration interface that could enable remote code execution (RCE). The issue was disclosed to the vendor by security researcher w1th0ut. Automatic rollout began after 23 September 2025, and users are urged to verify their systems have received the patch.
What is CVE-2025-30247: command injection leading to RCE
The flaw stems from improper input handling in the My Cloud management UI. Specially crafted HTTP POST requests to vulnerable control-panel endpoints could be incorporated into a backend system call without adequate sanitization, resulting in the execution of arbitrary shell commands with the privileges of the affected process. This behavior is a textbook example of command injection and can rapidly escalate to full device compromise.
Injection weaknesses consistently rank among the most dangerous web risks in the OWASP Top 10, because they allow attackers to hijack application logic and run arbitrary commands. In the context of NAS, which often store critical business and personal data, RCE can be particularly damaging.
Affected models and firmware availability
Western Digital has published firmware 5.31.108 for the impacted My Cloud product line. Users with auto-update enabled should have received the fix beginning late September 2025, but manual verification is recommended. Two models—My Cloud DL4100 and My Cloud DL2100—are end of support and will not receive patches. The vendor does not plan to provide mitigations for these legacy devices.
How to confirm your My Cloud is patched
Log in to the My Cloud web interface with an administrator account, open the update section, and confirm that the installed firmware is 5.31.108. If not present, initiate an update through the UI or download the package from Western Digital’s support site. Perform a backup of critical data before applying firmware updates, then verify version and service functionality after installation.
Risk and real-world impact of exploitation
Successful exploitation of CVE-2025-30247 could allow an attacker to execute shell commands, access or modify files, enumerate users, alter configuration, and deploy additional binaries on the NAS. Such access is commonly used for persistence, data theft, cryptomining, or staging ransomware activity. Campaigns against NAS are not theoretical—ransomware such as DeadBolt has previously targeted consumer and SMB storage platforms by abusing exposed management services and unpatched flaws.
Security advisories from government and industry bodies routinely caution against exposing administrative interfaces to the internet and emphasize timely patching as primary controls for NAS and other edge devices. These measures materially reduce the likelihood of compromise and contain blast radius if an incident occurs.
Mitigation guidance and hardening steps
Update to 5.31.108 immediately. If you cannot patch right away, the most reliable interim control is to isolate the device from untrusted networks. Additional best practices include:
• Restrict the management UI to trusted networks only (LAN or VPN); avoid direct internet exposure.
• Disable port forwarding and UPnP on routers to prevent unintended external access.
• Segment NAS devices from user workstations and high-value assets.
• Enforce least privilege for NAS accounts; use strong, unique passwords and enable MFA where supported.
• Enable audit logging and security monitoring to detect suspicious activity.
• Maintain regular, tested backups, including offline or immutable copies.
End-of-life models: DL4100 and DL2100
Because DL4100 and DL2100 will not receive fixes, consider long-term isolation, strict access controls, or planned replacement with a supported model. Continuing to operate EOL devices on exposed networks markedly increases risk.
Addressing critical NAS vulnerabilities promptly is essential for data resilience and operational continuity. Verify your My Cloud runs 5.31.108, minimize external exposure, and apply rigorous cyber hygiene. These steps substantially lower the probability and impact of compromise while aligning with widely accepted security guidance.
