This little guy caught my eye as well and i decided id share what i have learned about it...
First of all, its running off the AirStash software. The previous versions of this software have had success running commands by exec in server side includes. This is not the case with the sandisk drive :(
There is a firmware file available on the website here:
http://kb.sandisk.com/app/answers/detail/a_id/12713
placed on the root of the drive, the drive will flash the firmware. Ive ran the file through binrev with no success, maybe some weird compression i dont know too much about.
A port scan of the device shows only httpd, the device also has webdav support.
The device has the ability to connect to your own wifi, if you set it up via the app so that you can transfer files without loosing internet connection.
When connected to the drive on the computer, on the root of the server is a status.xml file which basically provides all the information available to the app. (Wifi status, card status, etc)
On the web interface there is also a settings page that allows you to change the name/set a password. This is probably the best attack vector.
Thats all i got