September 30, 2025 By Zeljka Zorz
Western Digital has fixed a critical remote code execution vulnerability (CVE-2025-30247) in the firmware powering its My Cloud network-attached storage (NAS) devices, and has urged users to upgrade as soon as possible.
About CVE-2025-30247
Western Digital’s My Cloud devices are designed for home and small business users, to store documents and other content and access it via mobile apps or web browser. In small office settings, it’s also often used as a server for backups and a centralized place for project files.
CVE-2025-30247 is an OS command injection vulnerability in the firmware’s user interface, and allows remote attackers to execute arbitrary system commands via a specially crafted HTTP POST request.
The vulnerability’s CVSS string indicates that no prior authentication or user interaction is required for exploitation. A successful attack may result in full system compromise and the attackers having access to all the data stored on it and the ability to encrypt it, delete it, or modify it.
A compromised device could also provide a foothold for attackers who want to compromise other systems in the same network.
