Western Digital is warning owners of My Cloud series devices that can no longer connect to cloud services starting June 15, 2023, if the devices are not upgraded to the latest firmware, version 5.26.202.

The storage maker has decided to take this drastic step to protect its users from cyberattacks, as the latest firmware fixes a remotely exploitable vulnerability that can be exploited to run unauthenticated code.

“Devices with firmware lower than 5.26.202 will not be able to connect to Western Digital cloud services starting June 15, 2023, and users will not be able to access data on their device through mycloud.com and the app mobile My Cloud OS 5 until they update the device to the latest firmware,” says a Western Digital Support Bulletin.

“Users can continue to access their data through Local Access.”

My Cloud is a service that connects network-attached storage (NAS) devices to Western Digital’s cloud service, allowing users to store, access, backup and share media from the web.

That said, unauthorized access to users’ devices or media repositories could lead to serious data and privacy breaches.

Moreover, the execution of arbitrary code can even lead to the deployment of ransomware on devices, which we have seen impacting NAS Devices several times in the recent past.

Western Digital has alerted owners that the following devices must upgrade their firmware to the designated versions or they will no longer be able to access My Cloud:

• My Cloud PR2100 – 5.26.202 or later
• My Cloud PR4100 – 5.26.202 or later
• My Cloud EX4100 – 5.26.202 or later
• My Cloud EX2 Ultra – 5.26.202 or later
• My Cloud Mirror G2 – 5.26.202 or later
• My Cloud DL2100 – 5.26.202 or later
• My Cloud DL4100 – 5.26.202 or later
• My Cloud EX2100 – 5.26.202 or later
• My Cloud – 5.26.202 or later
• WD Cloud – 5.26.202 or later
• My Cloud Home – 9.4.1-101 or later
• My Cloud Home Duo – 9.4.1-101 or later
• SanDisk ibi – 9.4.1-101 or later

The above firmware versions have been published on May 15, 2023fixing the following four vulnerabilities:

• CVE-2022-36327: Critical severity path traversal flaw (CVSS v3.1:9.8) that allows an attacker to write files to arbitrary filesystem locations, leading to unauthenticated remote code execution (workaround authentication) on My Cloud devices.
• CVE-2022-36326: Uncontrolled resource consumption issue triggered by specially crafted requests sent to vulnerable devices, causing DoS. (medium severity)
• CVE-2022-36328: Path traversal flaw allowing an authenticated attacker to create arbitrary shares on arbitrary directories and exfiltrate sensitive files, passwords, users and device configurations. (medium severity)
• CVE-2022-29840: Server-Side Request Forgery (SSRF) vulnerability that could allow an unauthorized server on the local network to modify its URL to point to the loopback. (medium severity)

To learn more about updating the firmware of your My Cloud device, visit Instructions from Western Digital.