WD My Cloud NAS vulnerability detailed

With the recent news of the Meltdown and Spectre CPU exploits, security vulnerabilities are starting to get more attention. Quite a few places reported on the news that many of WD's My Cloud NAS units have a backdoor that gives full root access to the devices. Logging into the device with username "mydlinkBRionyg" and password "abc12345cba" is all it takes.

That's bad news, but after reaching out for comment from WD, we were informed that the affected devices have all been fixed since the release of firmware update v2.30.172—or in some cases firmware v2.30.168. We checked all the affected models and found that the updated firmware has been available since November 2017. Here's the full list of affected devices, with the vulnerability present on firmware releases v.2.30.165 and earlier:

  • My Cloud
  • My Cloud Mirror
  • My Cloud Gen 2
  • My Cloud PR2100
  • My Cloud PR4100
  • My Cloud EX2 Ultra
  • My Cloud EX2
  • My Cloud EX4
  • My Cloud EX2100
  • My Cloud EX4100
  • My Cloud DL2100
  • My Cloud DL4100

If you're running one of those NAS units, head over to WDC's My Cloud support page, select your specific model, and grab the latest firmware. And unlike the CPU exploits, there should be no loss of performance with the update, as all it does is remove a backdoor that should never have been there in the first place.

Jarred Walton

Jarred's love of computers dates back to the dark ages when his dad brought home a DOS 2.3 PC and he left his C-64 behind. He eventually built his first custom PC in 1990 with a 286 12MHz, only to discover it was already woefully outdated when Wing Commander was released a few months later. He holds a BS in Computer Science from Brigham Young University and has been working as a tech journalist since 2004, writing for AnandTech, Maximum PC, and PC Gamer. From the first S3 Virge '3D decelerators' to today's GPUs, Jarred keeps up with all the latest graphics trends and is the one to ask about game performance.