Urgent: Critical WD My Cloud Bug Exposes NAS Devices to Unauthenticated Remote Command Injection

A severe security flaw has been unearthed in Western Digital's popular My Cloud Network Attached Storage (NAS) devices, posing a critical threat to users' valuable data. Identified as CVE-2024-27361, this vulnerability allows unauthenticated attackers to execute arbitrary commands remotely with root privileges, effectively granting them full control over affected devices.

The discovery, made by security researchers at Rapid7, highlights a dangerous weakness within specific My Cloud models.

The vulnerability impacts My Cloud PR2100 and PR4100 NAS devices running firmware versions 5.27.162 and earlier. This means that a significant number of devices, often used by small businesses and home users for crucial data storage and backup, could be wide open to exploitation.

According to Rapid7's detailed analysis, the flaw resides in the `/cgi-bin/sug_change_javascript.cgi` endpoint.

Specifically, the `sug_change_javascript_change_value` parameter is susceptible to command injection. An attacker, without needing any prior authentication, can craft a malicious request to this endpoint. This request, when processed by the vulnerable firmware, allows the attacker to inject and execute operating system commands as the root user.

The implications are dire: unauthorized access to all stored files, the ability to wipe data, install malware, or even integrate the device into a botnet.

Western Digital was promptly informed of the vulnerability and, in a commendable response, released firmware update 5.27.202 in April 2024.

This crucial update specifically addresses CVE-2024-27361, patching the command injection flaw and significantly bolstering the security posture of the affected My Cloud devices. It is paramount that all owners of My Cloud PR2100 and PR4100 devices immediately update their firmware to the latest version to mitigate this serious risk.

Rapid7 has published a proof-of-concept (PoC) demonstrating the ease with which this vulnerability can be exploited, underscoring the urgency for users to take action.

The ongoing threat landscape makes it clear that NAS devices, often internet-facing, are attractive targets for cybercriminals. This isn't the first time WD My Cloud devices have faced critical security issues, reinforcing the need for constant vigilance and prompt updates by users.

Protecting your digital assets is paramount.

If you own a WD My Cloud PR2100 or PR4100, do not delay. Navigate to your device's administrative interface and initiate the firmware update process. Failing to do so leaves your network storage, and potentially your entire network, exposed to sophisticated attacks that could lead to devastating data loss or privacy breaches.