Wonder what spooked WD with releasing update v2.31.174 on the 26th?

As in …

Resolved Authentication bypass vulnerability (CVE-2019-9950)
Resolved Unauthenticated file upload vulnerability (CVE-2019-9951)

These CVE references are presently reserved and the issue fixed undisclosed, which is good that the update has appeared without any public disclosure before a fix. Update installed without a hitch for me.

Something is a bit fishy. When has WD ever been ahead of a vulnerability? Usually they are months to years behind.
Glad your install went without a hitch, you are far more brave than I installing so quickly.

1 Like

Curiouser and Curiouser. My NAS no longer exclaims that there’s a Firmware update. When doing a check using the blue triangle on the Firmware component on the NAS dashboard, it can no longer reach the WD server to update. What are you up to WD?


I had same error message. I eventually went to my product’s support page to download the FW and installed it manually via dashboard. I had no issues with it.

In this case the details are not yet released.

Maybe an internal change in policy and/or management? Maybe WD have discovered an issue themselves? Maybe someone has disclosed a problem that so stupidly serious that it can’t be ignored as once released a parrot would be able to upload files remotely and do what they like with a compromised NAS?

The previous version of firmware was only released for manual download and that had significant updates within it.

I still find it mind boggling how one of the past vulnerabilities was some code or program that is generally used in D-Link equipment managed to make its way into a WD NAS and worst still, that program has a hard coded back-door into it! That has since been patched.

It will be interesting to know that write-up is given to the two CVEs that have been addressed.

Interesting. I thought I would do a firmware check from the NAS and I also got that failure to connect to server error, but the previous version did automatically download and install the current firmware.

Things are still weird with this one. NAS sometimes can’t connect to the update server. Sometimes it can and says I’m up-to-date, but I am not. (at ver. 2.31.149).

For what it’s worth and the vulnerabilities that exist in the firmware version you’re using. Manually download the firmware file and apply it to your NAS. If your NAS is not accessible from the Internet and if it is, no port forwarding is used and relaying is used then it’s not that critical.

Oh my. Those are some real nasty vulnerabilities that have been plugged.


Western Digital My Cloud Cloud, Mirror Gen2, EX2 Ultra, EX2100, EX4100, DL2100, DL4100, PR2100 and PR4100 before firmware 2.31.183 are affected by a code execution (as root, starting from a low-privilege user session) vulnerability. The cgi-bin/webfile_mgr.cgi file allows arbitrary file write by abusing symlinks. Specifically, this occurs by uploading a tar archive that contains a symbolic link, then uploading another archive that writes a file to the link using the “cgi_untar” command. Other commands might also be susceptible. Code can be executed because the “name” parameter passed to the cgi_unzip command is not sanitized.


Western Digital My Cloud, My Cloud Mirror Gen2, My Cloud EX2 Ultra, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100 and My Cloud PR4100 firmware before 2.31.174 is affected by an authentication bypass vulnerability. The login_mgr.cgi file checks credentials against /etc/shadow. However, the “nobody” account (which can be used to access the control panel API as a low-privilege logged-in user) has a default empty password, allowing an attacker to modify the My Cloud EX2 Ultra web page source code and obtain access to the My Cloud as a non-Admin My Cloud device user.


Western Digital My Cloud, My Cloud Mirror Gen2, My Cloud EX2 Ultra, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100 and My Cloud PR4100 firmware before 2.31.174 is affected by an unauthenticated file upload vulnerability. The page web/jquery/uploader/uploadify.php can be accessed without any credentials, and allows uploading arbitrary files to any location on the attached storage.

Maybe WD being cautious? I’ve been daft and left auto-update on. At 05:00 the firmware update got installed successfully. This is also with the Entware app installed. Just takes between 5 to 10 minutes for the reboot, but I can live with that.

Also interesting reading, which tells the full story and is the full public disclosure after release if updates . . .

The unethical hackers will be on the hunt now for NASs that are not updated. :frowning:
… but a mitigating factor is for the NAS owner to use MyCloud services and not use port forwarding to the NAS from the Internet. Possibly disabling UPnP on the router?