Western Digital (WD) devices running My Cloud OS 3 have been found to be vulnerable due to the existence of a zero-day flaw. The new security loophole, which was discovered by security researchers, has come into the limelight just days after another serious vulnerability led to some users having their data wiped from WD My Book Live devices. WD quietly mitigated the issue impacting its storage units running My Cloud OS 3 by releasing My Cloud OS 5 last year. However, the vulnerability can still result in a major impact as a large number of WD network-attached storage (NAS) devices are yet to be updated to the latest operating system.
The zero-day vulnerability affecting My Cloud OS 3 was discovered by security researchers Pedro Ribeiro and Radek Domanski. Both researchers made a video, which is available on YouTube, to detail the issue that essentially allows attackers to remotely update the firmware on a vulnerable device using backdoor access, as reported by KrebsOnSecurity. The vulnerability could be exploited using a user account that carries a blank password.