Bad news comes in threes, most particularly for Western Digital customers.

As if things weren’t bad enough for the untold number of Western Digital customers whose data blinked out of existence last month, there’s another zero-day waiting for whoever can’t or won’t upgrade its My Cloud storage devices.

The latest zero-day entails an attack chain that allows an unauthenticated intruder to execute code as root and install a permanent backdoor on the vendor’s network-attached storage (NAS) devices. It’s found in all Western Digital NAS devices running the old, no-longer-supported My Cloud 3 operating system: an OS that the researchers said is “in limbo,” given that Western Digital recently stopped supporting it.

Western Digital has said that its update – My Cloud OS 5 – fixed the bug. Maybe so, but the researchers who found the OS 3 vulnerability, Radek Domanski and Pedro Ribeiro, told security journalist Brian Krebs that OS 5 was a complete rewrite of OS 3 that skewered some popular features and functionality. As such, not all users are likely to upgrade: a presumption underscored by the many users who cited using OS 3 in the support forum when the remote data wipe happened in June.

“It broke a lot of functionality,” Domanski said of OS 5, as quoted by Krebs. “So some users might not decide to migrate to OS 5.”

There is hope. Domanski and Ribeiro have developed and released their own patch that fixes the vulnerabilities they found in OS 3. One problem: It needs to be reapplied every time the device reboots.

Contact us if you have any questions regarding how you can secure your NAS devices.