Western Digital is asking customers to upgrade their WD My Cloud devices to the latest available firmware so that they can continue getting security updates once the My Cloud OS software reaches the end of service. The company disclosed that the support for earlier generations of My Cloud OS, including My Cloud OS3, will end on April 15, 2022.
It further said that if any device isn’t compatible with My Cloud OS5, it’ll lose remote access and be accessible only locally. Security updates and technical assistance won’t be provided to devices running these older firmware versions. The company recommends that customers should back up their devices, disable remote access, unplug them from the internet, and choose a unique and robust password when the firmware is no longer supported.
Before the end of support, eligible device owners can update to My Cloud OS5 (which will get support at least until 2026). If their device isn’t compatible with the My Cloud OS5 firmware, they can upgrade it to a suitable model.
“My Cloud OS 5 is a major and fundamental security release that provides an architectural revamp of our older My Cloud firmware and adds new defenses to thwart common classes of attacks,” Western Digital says.
“We will not provide any further security updates to the My Cloud OS3 firmware. We strongly encourage moving to the My Cloud OS5 firmware.”
Check the support page of Firmware Availability and Supported Devices to determine if your device is compatible with My Cloud OS5. In July, Western Digital issued a warning about continuous cyberattacks targeting My Book Live and My Book Live Duo devices, highlighting the dangers of using unsupported software. When the attackers exploited an unauthenticated factory reset vulnerability (CVE-2021-35941), all data from compromised devices was deleted in certain situations.
The threat actors used exploits targeting a second flaw, a major root remote command execution weakness identified as CVE-2018-18472, to spread trojan malware to other affected computers. The My Book Live device series got the final firmware upgrade in 2015, and the vulnerabilities used in these attacks were restricted to that device model.