CVE-2025-30247
BaseFortify
Publication date: 2025-09-29
Last updated on: 2025-10-02
Assigner: Western Digital
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| westerndigital | my_cloud_os | 5.31.108 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an OS command injection flaw in the user interface of Western Digital My Cloud firmware prior to version 5.31.108 on NAS platforms. It allows remote attackers to execute arbitrary system commands by sending a specially crafted HTTP POST request to the device. [1]
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can remotely execute arbitrary code on the affected device, potentially gaining full control over the system. This could lead to unauthorized access, data theft, disruption of services, or further attacks within the network. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should promptly update your Western Digital My Cloud device firmware to version 5.31.108 or later, as this update addresses the remote code execution flaw. [1]