Latest firmware still vulnerable

Disabling UPnP control of firewall ports puts control into the hands of the router admin: you.

It is important to distinguish between UPnP traffic and UPnP control; disabling UPnP control of the router does not prevent UPnP traffic. So you can still use your router for UPnP/DLNA media streaming.

The consequence is that you will have to manually open ports for external traffic you do want, but that generally isn’t too hard.

Pass it to your solicitor.

Weird, a new year and several months since I decided to just unplug my mycloud 4tb and disconnect it etc - I thought, I will go back to Western Digital’s forum and see how they are deeming the security of the devices that they have manufactured and sold, along with it’s software… to find the latest round of complete cluster f&*ks that Western Digital clearly are.

You know what amazes me; the average domestic user will not use the internet to search for “how secure is a western digital my cloud” before they actually purchase the item and yet, Western Digital have carried on selling these devices, with it’s software for several months since the last round of global stated vulnerabilities… this really is akin to fraud by deception by Western Digital on all who have purchased these devices.

It is wholly unacceptable in today’s climate, for such a large company as WD to take security flaws / vulns so incredibly lightly, when they are even given disclosures on a plate… ONE HUNDRED AND EIGHTY DAYS and still no contact with the disclosee… WOW!

Class Action Anybody? I also will now look into how this sits with the Data Protection Regulator here in the UK, especially with the General Data Protection Regulation (GDPR) only been 5 months away from being enforcable.

Admittedly, WD don’t host one’s data to my knowledge, it’s on the device that sits on one’s local network but it is still a question worth having with them. Namely, to see where GDPR sits in regard to this actual type of manufacturer > consumer structure of such devices and a complete disregard for the consumers abiltiy to keep their data secure enough i,e, 180 days since receiving a security disclosure.

Additionally, these devices are no doubt often purchased by smaller businesses and hence GDPR would come into play so much more, than domestic purchasers of WD personal cloud devices. Also, these are physical devices in our posession, as opposed to Cloud Storage one pays a company for, to host and supposedly keep one’s data safe on one’s behalf.

I’m so utterly pissed with Western Digital, more than the last time I was here and found out how bad the device that they sold me was for vulnerabilities!!!

Let me in a room face to face with a Western Digital C-level memer of personnel, oh I would love that!

Oh, yeah! I have few words to them too!
Where have they found such awkward developers?

1 Like

We have posted an update in regards to this topic on the Western Digital Blog.

Previously reported security vulnerabilities related to certain My Cloud products had been disclosed by a security researcher directly with our team in 2017, and critical issues mentioned in these recent articles (; were addressed in 2017 with firmware update v2.30.172 and above. Other issues are being addressed in future updates.

One of those issues currently being addressed for a future update is that certain My Cloud models (only with firmware versions 2.xx but not My Cloud Home) with default settings could be exploited by a sophisticated hacker in the unlikely event such hacker has access to the owner’s local network; or, if the My Cloud owner has enabled Dashboard Cloud Access (certain models*) or enabled additional port forwarding to such My Cloud devices. To mitigate this issue, we strongly recommend that My Cloud owners who have made such changes disable the Dashboard Cloud Access and ensure their router and My Cloud device are secure by disabling additional port-forwarding functionalities. All affected My Cloud owners should restrict local network guest access only to people they trust. We are working on a firmware update for this issue and will make it available on our support download site as soon as possible. As always, we encourage users to contact Western Digital customer support should they need help updating their device. If you wish to contact customer support directly, please visit this page. You may need to use the “Change country” link on that page to find the most appropriate phone number for your location.

It is important to note that the My Cloud Home model architecturally is designed new from the ground up and we are not aware of any vulnerability to the security issues listed in the respective reports.

As a reminder, we urge customers to ensure the firmware on their products is always up to date; enabling automatic updates is recommended. We also urge you to implement sound data protection practices such as regular data backups and password protection, including to secure your router when you use a personal cloud or network-attached storage device.

Western Digital works continuously to improve the capability and security of our products, including with the security research community to address issues they may uncover. We encourage responsible disclosure by customers and researchers to ensure our customers are protected while we address valid vulnerabilities.

*Models with Dashboard Cloud Access:

My Cloud EX2
My Cloud EX4
My Cloud EX2100
My Cloud EX4100
My Cloud EX2 Ultra
My Cloud DL2100
My Cloud DL4100
My Cloud PR2100
My Cloud PR4100
My Cloud Mirror
My Cloud Mirror Gen 2
Dashboard Cloud Access:

The Dashboard Cloud Access feature is available under Settings->General->Cloud Access.

Port Forwarding: Port forwarding of HTTP connections should disabled on the My Cloud device and the router. On My Cloud devices the port-forwarding feature is available under Settings->Network->Port Forwarding and can be used only if the connected router supports uPnP.


Lance, can I suggest that it might be an idea for WD to post a sticky thread on the relevant sub-forums, identifying the status of disclosed CVEs, their exploit risk, and suggested mitigations, and in what firmware CVE vulnerabilities have been closed.

At the moment, all we have to go on is vague statements in the firmware release notes, which rarely identify specific CVEs.

1 Like


Thanks for the suggestion. I will check with the product teams to see if we have more detailed info available.

If WD take product security seriously, they REALLY ought to know the status of EVERY reported CVE relevant to their products.

The impression most forum users have gained over the last few years is that, sadly, WD do not take product security seriously; I really shouldn’t have to be telling WD how to communicate product security status to your customers, it should be glaringly obvious.

1 Like

Just to add now it has gone mainstream;

I just wanted to update you all on this issue. We have released a new FW available today for manual download and installation. It will be available for pushed OTA FW update next week. Please see the post below.

Also regarding the hardcoded admin user and password. This issue was resolved in 11/17 FW 2.30.172 release.

Any chance of a download link…?

The Download link is in the original post copies below for your convenience

My Cloud Firmware Update 4.05.00-320 & 2.30.181

4.05.00-320 was released last November. Not today.

Firmware Release 04.05.00-320 (11/28/2017)

Do you have a link to the new firmware released today for manual download…?

The 4.X FW was not updated today. The security issue resolved in this release is not applicable to My Cloud single bay devices running 4.X FW.

When can we expect a v4 firmware release addressing the issue resolved in the new v2 release (CVE-2017-17560)?

Or information identifying whether issues are common or unique to firmware versions?

See my post above. I edited it to be more clear. The security issue resolved in this release is not applicable to devices running the 4.X FW.


Is my earlier point about having a central repository of identified vulnerabilities and their relevance/status now becoming clearer…?

I do not disagree with you. Currently this resource does not exist. I have passed your suggestion along to the product team.

Lance. I’m assuming you know that a list of users from the MyCloud NASs can still be dumped without any need for authentication? Luckily, no passwords revealed, but the admin account name is revealed!

I turned off the cloud access and I am not able to use the MyCloud app on my mobile device when I am in my local network at home. Is it right? Any chance using the Mycloud app?