So it looks like a RCE reported in 2018 and let unfixed is actively used for the recent data deletion event, and Krebs to add:
« Western Digital’s response at the time was that the affected devices were no longer supported and that customers should avoid connecting them to the Internet. That response also suggested this bug has been present in its devices for at least a decade »