Western Digital My Cloud NAS devices have again been found Vulnerability-related.DiscoverVulnerability wanting in the security department , as two set of researchers have revealed Vulnerability-related.DiscoverVulnerability a number of serious flaws in the devices ’ firmware . WD My Cloud is meant to be a private cloud environment hosted at home or at a small organization ’ s office , and can be accessed either from a desktop located on the same network or remotely , with a smartphone , from wherever else in the world . Users can interact with it either via the administrative user interface or an application ( that uses a RESTful API ) . Zenofex , a member of the Exploitee.rs team , revealed Vulnerability-related.DiscoverVulnerability the existence of a login bypass issue , several command injection flaws , and a number of other bugs on Saturday . Then , on Tuesday , researchers with the SEC Consult Vulnerability Lab published a security advisory warning about : “ Due to [ no anti-CSRF mechanisms ] , an attacker can force a user to execute any action through any script . As the [ OS command injection and unauthenticated arbitrary file upload vulnerabilities ] do not need authentication , those can be exploited Vulnerability-related.DiscoverVulnerability via CSRF over the Internet as well ! ” , the researchers noted . SEC consult found Vulnerability-related.DiscoverVulnerability the flaws in version 2.11.157 of the firmware on a My Cloud EX2 device , but they believe that other My Cloud devices are almost surely vulnerable Vulnerability-related.DiscoverVulnerability as well , as the same ( or pretty much the same ) firmware is used on all of them . Zenofex did his testing on a My Cloud PR4100 device , but also noted that other My Cloud devices are vulnerable Vulnerability-related.DiscoverVulnerability to the same issues . In the wake of these latest revelations , Securify researchers again pointed to their own research and security advisories from January 2017 dealing with the same or similar vulnerabilities , found Vulnerability-related.DiscoverVulnerability on versions 2.21.119 and 2.21.126 of the firmware . All three groups say that the issues have yet to be fixed Vulnerability-related.PatchVulnerability by Western Digital . SEC Consult researchers complained about the company slow reaction to their responsable disclosure Vulnerability-related.DiscoverVulnerability efforts , while Zenofex noted that the company ’ s dismal reputation when it comes to patching Vulnerability-related.PatchVulnerability reported issues . So , he opted for public disclosure Vulnerability-related.DiscoverVulnerability , in the hopes that this will push the company to pick up the pace . “ Ignoring these bugs would leave the vulnerable devices online for longer periods while responsible disclosure Vulnerability-related.DiscoverVulnerability is worked out . Instead we ’ re attempting to alert Vulnerability-related.DiscoverVulnerability the community of the flaws and hoping that users remove their devices from any public facing portions of their networks , limiting access wherever possible , ” he noted .