Cyber Resilience

CVE-2025-30247

CriticalRCE

Published: 29 September 2025

Published
29 September 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0136 80.6th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30247 is a critical-severity OS Command Injection (CWE-78) vulnerability in Westerndigital (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, ranked in the top 19.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

An OS command injection vulnerability tracked as CVE-2025-30247 affects the user interface of Western Digital My Cloud firmware versions prior to 5.31.108 on NAS platforms. The flaw, assigned CWE-78, permits unsanitized input in HTTP requests to be passed to the underlying operating system, resulting in a CVSS 4.0 score of 9.3.

Unauthenticated remote attackers can exploit the issue by submitting a specially crafted HTTP POST request to the device, allowing arbitrary system command execution with full read, write, and administrative control over the NAS.

Western Digital's security advisory WDC-25006 states that the vulnerability is resolved by upgrading to My Cloud OS 5 firmware version 5.31.108 or newer and provides installation guidance for affected devices.

The associated EPSS score remains low, with a current value of 0.0136 and a peak of 0.0176.

EU & UK References

Vulnerability details

An OS command injection vulnerability in user interface in Western Digital My Cloud firmware prior to 5.31.108 on NAS platforms allows remote attackers to execute arbitrary system commands via a specially crafted HTTP POST.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Westerndigital
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References