Western Digital My Book Live Devices Remotely Wiped By Malicious Software, But Who Is To Blame?

On June 23rd, WD Community Forum user sunpeak made a post explaining that he found that all his data is gone and the owner password for device management had been changed. At the time of writing, this thread has had over 15,800 views and over 177 responses, many of which echo similar issues. Sunpeak then further elaborated on his issue later in the thread, showing logs of what appears to be a factory restore script being run.
After the initial forum post took off, there was a resounding silence from WD and outraged users who also posted on Reddit. Since then, though, WD has made its own forum post explaining that the company “has determined that some My Book Live devices are being compromised by malicious software,” leading to “a factory reset that appears to erase all data on the device.” To stop this from happening, WD “recommend[s] you disconnect your My Book Live from the Internet to protect your data on the device” and is actively investigating. Interestingly, the post also mentioned that the My Book Live got its final firmware update in 2015, so this is no fault of WDs, or is it?
Yesterday, a product security post on Western Digital’s website was updated with similar information to the forum post. Within that product security post, a common vulnerability enumeration (CVE) number was linked, dating back to 2019 with an assigned CVSS score of 9.8 out of 10, making it a quite critical vulnerability. That CVE then links to the WizCase Research Team, who, in 2020, researched the vulnerability and seemingly reported it to Western Digital. The response they reportedly received states that as the CVE only affects My Book Live devices, and Western Digital has no concern as “these products have been discontinued since 2014 and are no longer covered under our device software support lifecycle.”
Western Digital continued, explaining that if users wanted to continue to use the device that they “configure their firewall to prevent remote access to these devices, and to take measures to ensure that only trusted devices on the local network have access to the device.” Ironically, the response also mentions that “Western Digital takes the security of our customers’ data seriously,” but requesting customers tinker with their firewall settings and ensure that only local access to the device is possible is quite a tall task.

Moreover, a CVE with a 9.8 CVSS score is nothing to scoff at, so WD probably should have gone back and made an exception to the software support lifecycle. However, this is not what happened, and now the company is in something of a pickle where users are losing data with little recourse. Moreover, there are still My Book Live devices for sale on places like Amazon, so new customers could be getting into the issue in the future as well.