[emcrazyone]

The article mentions firmware version 2.30.165 where as mine is running 2.11.168 and when checking for updates, reports back I have the latest. I have the EX4 models.

I only run mine on private/home networks with no remote access in to them.

Curious about the version difference...

[nitrogen]

Watch out for things like <img src="http: / / your_nas_ip?backdoor&evil+stuff"> on random websites. They can put in 500+ images to cover all of 192.168.0.0/23.

[BinaryIdiot]

Huh. I never really thought of that but that's pretty clever.

[chrisper]

There was once a script that would reboot your internet modem this way.

[bmaupin]

2.11.168 is the latest firmware for My Cloud Mirror gen 1 [1]. 2.30.165 is the latest firmware for My Cloud Mirror gen 2 [2].

Both firmwares were released in Nov 2017, and I suspect the vulnerabilities were fixed at that time as well. At the very least nas_sharing.cgi was removed in both versions. But I haven't had a chance to finish my investigations [3].

[1] https://support.wdc.com/downloads.aspx?g=907

[2] https://support.wdc.com/downloads.aspx?g=910

[3] https://gist.github.com/bmaupin/c38c777a0e4fad737a14718b1092...

[bmaupin]

From what I can tell the hard-coded backdoor vulnerability was remediated, but I see no indication the unrestricted file upload vulnerability has been remediated in any of the firmwares I tested. But I'm not a security expert. I've reached out to Gulftech and WD for clarification.