Executive Summary

CVE-2025-66954 is an Insecure Direct Object Reference (IDOR) vulnerability in Buffalo LinkStation firmware version 1.85-0.01. It occurs in the /nasapi endpoint, which does not properly check authorization when handling user-related requests.

This flaw allows unauthenticated or guest-level users to enumerate valid usernames along with their associated privilege roles and other metadata such as User ID, Category, Role Description, Quota, Groups, and Primary Group by modifying a parameter in the requests sent to the /nasapi endpoint.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthenticated or guest-level users to enumerate valid usernames and their associated privilege roles, exposing sensitive user-related information such as User ID, Category, Role Description, Quota, Groups, and Primary Group.

Such unauthorized disclosure of user information can lead to a high confidentiality loss, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information against unauthorized access.

Although the vendor considers the exposed data non-critical and will not release a patch, organizations using the affected Buffalo LinkStation firmware should consider disabling the guest user account to mitigate unauthorized access and reduce compliance risks.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to a high confidentiality loss due to unauthorized disclosure of sensitive user information.

Attackers with guest access can gather detailed user information which may be used for indirect privilege escalation through reconnaissance.

Since the attack vector is network-based with low complexity and no user interaction required, it poses a significant risk in environments where guest access is enabled.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending requests to the /nasapi endpoint of the Buffalo LinkStation firmware version 1.85-0.01 and observing if valid usernames and their associated privilege roles are enumerated without authentication.

Since the issue is triggered by modifying a parameter within requests to the /nasapi endpoint, detection involves crafting such requests and checking the response for user-related information such as User ID, Category, Role Description, Quota, Groups, and Primary Group.

• Use tools like curl or wget to send HTTP requests to the /nasapi endpoint with modified parameters.
• Example command: curl -X GET "http://<target-ip>/nasapi?parameter=<modified_value>" -v
• Analyze the response for user enumeration data indicating the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The recommended immediate mitigation is to disable the guest user account on the Buffalo LinkStation device to prevent unauthorized or unauthenticated access to the /nasapi endpoint.

Since the vendor will not release a patch, disabling guest access is the primary way to reduce the risk of exploitation.

Useful 0 Not Useful 0