Shortly after hackers remotely wiped internet-connected My Book Live devices, researchers shared a new zero-day vulnerability affecting Western Digital products running MyCloud OS 3.
Researchers discovered this vulnerability in 2020 and planned to present it at the Pwn2Own hacking competition last November. Western Digital addressed the vulnerability with the release of MyCloud OS 5. But not presented
That doesn’t mean the vulnerability is irrelevant. MyCloud OS 5 isn’t available for all Western Digital products, and some customers have reportedly held off on updating because it lacks features available in MyCloud OS 3. Unfortunately that also leaves these devices open to attack.
Western Digital has also said it won’t provide additional updates for MyCloud OS 3, so devices running the operating system will continue to be affected by this vulnerability.
People affected by this flaw have a few ways to defend themselves from attack: Upgrade to MyCloud OS 5, purchase a device capable of running MyCloud OS 5, install custom firmware that has to be re-enabled when the device is powered on, or disable remote access entirely.