CVE-2026-29516
Excessive File Permissions in Buffalo TeraStation NAS Exposes /etc/shadow
Publication date: 2026-03-16
Last updated on: 2026-03-17
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| buffalo | terastation_nas_ts5400r | to 4.02-0.06 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'This vulnerability affects Buffalo TeraStation NAS TS5400R devices running firmware version 4.02-0.06 and earlier. It is caused by excessive file permissions that allow authenticated attackers to read the /etc/shadow file.'}, {'type': 'paragraph', 'content': "Attackers exploit this by uploading and executing a PHP file through the device's webserver, which then leverages the world-readable permissions on the /etc/shadow file to retrieve hashed passwords for all configured accounts, including the root account."}] [2]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of hashed passwords for all user accounts on the affected device, including the root account.
If an attacker obtains these hashed passwords, they may attempt to crack them to gain elevated access or control over the device, potentially compromising the confidentiality and integrity of stored data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves excessive file permissions on the /etc/shadow file that allow authenticated attackers to read it by uploading and executing a PHP file through the webserver on Buffalo TeraStation NAS TS5400R devices.'}, {'type': 'paragraph', 'content': 'To detect if your system is vulnerable, you can check the permissions of the /etc/shadow file to see if it is world-readable.'}, {'type': 'list_item', 'content': 'Run the command: ls -l /etc/shadow'}, {'type': 'list_item', 'content': 'If the permissions show world-readable (e.g., -rw-r--r--), the system is vulnerable.'}, {'type': 'paragraph', 'content': 'Additionally, check for any unauthorized PHP files uploaded to the webserver directories that could be used to exploit this vulnerability.'}, {'type': 'list_item', 'content': "Use commands like: find /var/www -name '*.php' -exec ls -l {} \\;"}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting the permissions on the /etc/shadow file to prevent world-readable access.
- Change the permissions of /etc/shadow to be readable only by root: chmod 640 /etc/shadow
- Remove any unauthorized PHP files uploaded to the webserver that could be used to exploit the vulnerability.
Since the affected product has reached end-of-life status, consider upgrading to a newer device or firmware version that addresses this issue.
Limit authenticated user access to the webserver to trusted users only, as the vulnerability requires authentication.