A zero-day vulnerability remains present in network attached storage devices manufactured by Western Digital that run its MyCloud OS 3 software, according to KrebsonSecurity
. The remote code execution flaw potentially allows a threat actor to use a low-privilege user account with a blank password to remotely update a vulnerable device's firmware using a malicious backdoor.
The vulnerability was discovered in 2020 by security researchers looking to take part in the Pwn2Own hacking competition. The company later released its latest version of the software, MyCloud OS 5, which made the bug obsolete.
However, Western Digital has made no statement on whether the flaw has been addressed on MyCloud OS 3 devices and instead urged customers to upgrade to My Cloud OS 5 or purchase a new My Cloud OS 5-supported device.
The researchers recommended that users of MyCloud OS 3 ensure their devices are not remotely reachable via the Internet and have also released a patch they created to address the vulnerabilities, though it needs to be reapplied every time the device is rebooted.