OS Command Injection in Western Digital My Cloud UI

Successful exploitation can result in remote arbitrary command execution on the NAS device. Western Digital indicates this may lead to unauthorized file access, file modification or deletion, user enumeration, configuration changes, and execution of attacker-supplied binaries. Given the nature of command injection on a NAS appliance, compromise could also enable full device takeover within the privileges of the vulnerable service and facilitate persistence or further lateral activity from the appliance.

If immediate patching is not possible, Western Digital recommends taking affected devices offline until they can be updated. The vendor notes that offline My Cloud devices can continue to function as local storage in LAN mode, though cloud-stored files will not be available while offline. For end-of-support models such as My Cloud DL4100 and My Cloud DL2100, no vendor mitigation beyond removing exposure is provided in the available content.

Upgrade affected Western Digital My Cloud devices to firmware version 5.31.108 or later. The vendor states that all prior firmware versions on the listed supported My Cloud models are affected. A reboot is required after applying the update, and the device should remain powered during the update process to avoid data corruption. For devices with automatic updates enabled, Western Digital indicated the update began rolling out on September 23, 2025.