CVE-2026-29516
Received Received - Intake
Excessive File Permissions in Buffalo TeraStation NAS Exposes /etc/shadow

Publication date: 2026-03-16

Last updated on: 2026-03-17

Assigner: VulnCheck

Description
Buffalo TeraStation NAS TS5400R firmware version 4.02-0.06 and prior contain an excessive file permissions vulnerability that allows authenticated attackers to read the /etc/shadow file by uploading and executing a PHP file through the webserver. Attackers can exploit world-readable permissions on /etc/shadow to retrieve hashed passwords for all configured accounts including root.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29516
EUVD
EUVD-2026-12494
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
buffalo terastation_nas_ts5400r to 4.02-0.06 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'This vulnerability affects Buffalo TeraStation NAS TS5400R devices running firmware version 4.02-0.06 and earlier. It is caused by excessive file permissions that allow authenticated attackers to read the /etc/shadow file.'}, {'type': 'paragraph', 'content': "Attackers exploit this by uploading and executing a PHP file through the device's webserver, which then leverages the world-readable permissions on the /etc/shadow file to retrieve hashed passwords for all configured accounts, including the root account."}] [2]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of hashed passwords for all user accounts on the affected device, including the root account.

If an attacker obtains these hashed passwords, they may attempt to crack them to gain elevated access or control over the device, potentially compromising the confidentiality and integrity of stored data.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves excessive file permissions on the /etc/shadow file that allow authenticated attackers to read it by uploading and executing a PHP file through the webserver on Buffalo TeraStation NAS TS5400R devices.'}, {'type': 'paragraph', 'content': 'To detect if your system is vulnerable, you can check the permissions of the /etc/shadow file to see if it is world-readable.'}, {'type': 'list_item', 'content': 'Run the command: ls -l /etc/shadow'}, {'type': 'list_item', 'content': 'If the permissions show world-readable (e.g., -rw-r--r--), the system is vulnerable.'}, {'type': 'paragraph', 'content': 'Additionally, check for any unauthorized PHP files uploaded to the webserver directories that could be used to exploit this vulnerability.'}, {'type': 'list_item', 'content': "Use commands like: find /var/www -name '*.php' -exec ls -l {} \\;"}] [2]

Mitigation Strategies

Immediate mitigation steps include restricting the permissions on the /etc/shadow file to prevent world-readable access.

  • Change the permissions of /etc/shadow to be readable only by root: chmod 640 /etc/shadow
  • Remove any unauthorized PHP files uploaded to the webserver that could be used to exploit the vulnerability.

Since the affected product has reached end-of-life status, consider upgrading to a newer device or firmware version that addresses this issue.

Limit authenticated user access to the webserver to trusted users only, as the vulnerability requires authentication.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29516. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart