CVE-2025-30247
Published: 29 September 2025
Summary
CVE-2025-30247 is a critical-severity OS Command Injection (CWE-78) vulnerability in Westerndigital (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, ranked in the top 19.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
An OS command injection vulnerability tracked as CVE-2025-30247 affects the user interface of Western Digital My Cloud firmware versions prior to 5.31.108 on NAS platforms. The flaw, assigned CWE-78, permits unsanitized input in HTTP requests to be passed to the underlying operating system, resulting in a CVSS 4.0 score of 9.3.
Unauthenticated remote attackers can exploit the issue by submitting a specially crafted HTTP POST request to the device, allowing arbitrary system command execution with full read, write, and administrative control over the NAS.
Western Digital's security advisory WDC-25006 states that the vulnerability is resolved by upgrading to My Cloud OS 5 firmware version 5.31.108 or newer and provides installation guidance for affected devices.
The associated EPSS score remains low, with a current value of 0.0136 and a peak of 0.0176.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-31646
Vulnerability details
An OS command injection vulnerability in user interface in Western Digital My Cloud firmware prior to 5.31.108 on NAS platforms allows remote attackers to execute arbitrary system commands via a specially crafted HTTP POST.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.