WD My Cloud NAS vulnerability detailed

With the recent news of the Meltdown and Spectre CPU exploits, security vulnerabilities are starting to get more attention. Quite a few places reported on the news that many of WD's My Cloud NAS units have a backdoor that gives full root access to the devices. Logging into the device with username "mydlinkBRionyg" and password "abc12345cba" is all it takes.

That's bad news, but after reaching out for comment from WD, we were informed that the affected devices have all been fixed since the release of firmware update v2.30.172—or in some cases firmware v2.30.168. We checked all the affected models and found that the updated firmware has been available since November 2017. Here's the full list of affected devices, with the vulnerability present on firmware releases v.2.30.165 and earlier:

  • My Cloud
  • My Cloud Mirror
  • My Cloud Gen 2
  • My Cloud PR2100
  • My Cloud PR4100
  • My Cloud EX2 Ultra
  • My Cloud EX2
  • My Cloud EX4
  • My Cloud EX2100
  • My Cloud EX4100
  • My Cloud DL2100
  • My Cloud DL4100

If you're running one of those NAS units, head over to WDC's My Cloud support page, select your specific model, and grab the latest firmware. And unlike the CPU exploits, there should be no loss of performance with the update, as all it does is remove a backdoor that should never have been there in the first place.