CVE-2025-66954
Username Enumeration Vulnerability in Buffalo Link Station /nasapi
Publication date: 2026-04-20
Last updated on: 2026-04-20
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| buffalo | link_station | 1.85-0.01 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated or guest-level users to enumerate valid usernames and their associated privilege roles, exposing sensitive user-related information such as User ID, Category, Role Description, Quota, Groups, and Primary Group.
Such unauthorized disclosure of user information can lead to a high confidentiality loss, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information against unauthorized access.
Although the vendor considers the exposed data non-critical and will not release a patch, organizations using the affected Buffalo LinkStation firmware should consider disabling the guest user account to mitigate unauthorized access and reduce compliance risks.
Can you explain this vulnerability to me?
CVE-2025-66954 is an Insecure Direct Object Reference (IDOR) vulnerability in Buffalo LinkStation firmware version 1.85-0.01. It occurs in the /nasapi endpoint, which does not properly check authorization when handling user-related requests.
This flaw allows unauthenticated or guest-level users to enumerate valid usernames along with their associated privilege roles and other metadata such as User ID, Category, Role Description, Quota, Groups, and Primary Group by modifying a parameter in the requests sent to the /nasapi endpoint.
How can this vulnerability impact me? :
The vulnerability can lead to a high confidentiality loss due to unauthorized disclosure of sensitive user information.
Attackers with guest access can gather detailed user information which may be used for indirect privilege escalation through reconnaissance.
Since the attack vector is network-based with low complexity and no user interaction required, it poses a significant risk in environments where guest access is enabled.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending requests to the /nasapi endpoint of the Buffalo LinkStation firmware version 1.85-0.01 and observing if valid usernames and their associated privilege roles are enumerated without authentication.
Since the issue is triggered by modifying a parameter within requests to the /nasapi endpoint, detection involves crafting such requests and checking the response for user-related information such as User ID, Category, Role Description, Quota, Groups, and Primary Group.
- Use tools like curl or wget to send HTTP requests to the /nasapi endpoint with modified parameters.
- Example command: curl -X GET "http://<target-ip>/nasapi?parameter=<modified_value>" -v
- Analyze the response for user enumeration data indicating the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation is to disable the guest user account on the Buffalo LinkStation device to prevent unauthorized or unauthenticated access to the /nasapi endpoint.
Since the vendor will not release a patch, disabling guest access is the primary way to reduce the risk of exploitation.