Latest firmware still vulnerable


Lance, can I suggest that it might be an idea for WD to post a sticky thread on the relevant sub-forums, identifying the status of disclosed CVEs, their exploit risk, and suggested mitigations, and in what firmware CVE vulnerabilities have been closed.

At the moment, all we have to go on is vague statements in the firmware release notes, which rarely identify specific CVEs.

1 Like


Thanks for the suggestion. I will check with the product teams to see if we have more detailed info available.

If WD take product security seriously, they REALLY ought to know the status of EVERY reported CVE relevant to their products.

The impression most forum users have gained over the last few years is that, sadly, WD do not take product security seriously; I really shouldn’t have to be telling WD how to communicate product security status to your customers, it should be glaringly obvious.

1 Like

Just to add now it has gone mainstream;

I just wanted to update you all on this issue. We have released a new FW available today for manual download and installation. It will be available for pushed OTA FW update next week. Please see the post below.

Also regarding the hardcoded admin user and password. This issue was resolved in 11/17 FW 2.30.172 release.

Any chance of a download link…?

The Download link is in the original post copies below for your convenience

My Cloud Firmware Update 4.05.00-320 & 2.30.181

4.05.00-320 was released last November. Not today.

Firmware Release 04.05.00-320 (11/28/2017)

Do you have a link to the new firmware released today for manual download…?

The 4.X FW was not updated today. The security issue resolved in this release is not applicable to My Cloud single bay devices running 4.X FW.

When can we expect a v4 firmware release addressing the issue resolved in the new v2 release (CVE-2017-17560)?

Or information identifying whether issues are common or unique to firmware versions?

See my post above. I edited it to be more clear. The security issue resolved in this release is not applicable to devices running the 4.X FW.


Is my earlier point about having a central repository of identified vulnerabilities and their relevance/status now becoming clearer…?

I do not disagree with you. Currently this resource does not exist. I have passed your suggestion along to the product team.

Lance. I’m assuming you know that a list of users from the MyCloud NASs can still be dumped without any need for authentication? Luckily, no passwords revealed, but the admin account name is revealed!

I turned off the cloud access and I am not able to use the MyCloud app on my mobile device when I am in my local network at home. Is it right? Any chance using the Mycloud app?

Try using the ‘manage devices’ in the App menu, and removing the association. Then add it back, using your MyCloud credentials.

You should be able to access via the WD Mobile app and your local network; that’s all I ever do.

what do you mean ?

Three bar menu:
Manage Devices/Services
Already added

swipe left on your device; this will delete the association

your devices will re-appear under ‘Available cloud services’
select it, and enter your credentials.

One CAN use the My Cloud apps (and Desktop software) if one disabled Remote Access/Cloud Access within the My Cloud Dashboard. However, depending on how one initially configured the My Cloud app/software for access (for example using one’s login) one may need to remove the existing device from the app/software and select the local networked My Cloud device. Obviously one will need to be on the same local network as the My Cloud in order for the app/software to find the local networked My Cloud device.

ok, worked. But how to re-add the device in the Desktop software?