Buffalo TeraStation NAS TS5400R devices running firmware version 4.02-0.06 and earlier contain a vulnerability identified as CVE-2026-29516, classified under CWE-732 (Incorrect Permission Assignment for Critical Resource). The flaw arises from excessive file permissions on the /etc/shadow file, which stores hashed passwords for all system accounts, including the root user. An authenticated attacker can upload a malicious PHP script through the device's webserver interface and execute it, leveraging the improper permissions to read the /etc/shadow file. This exposure allows the attacker to obtain hashed password data, which can be subjected to offline cracking attempts to recover plaintext credentials. The vulnerability requires the attacker to have valid authentication credentials but does not require any user interaction beyond that. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H means high privileges required, but here it is authenticated), no user interaction (UI:N), and high impact on confidentiality (VC:H) with no impact on integrity or availability. No patches or exploits are currently publicly available, but the risk remains significant due to the sensitive nature of the exposed data and the potential for lateral movement or full system compromise if credentials are cracked.

The primary impact of this vulnerability is the compromise of confidentiality through unauthorized disclosure of hashed passwords, including the root account. If attackers successfully crack these hashes, they can gain full administrative control over the affected NAS device, leading to data theft, data manipulation, or disruption of services. Organizations relying on Buffalo TeraStation NAS TS5400R for critical storage may face significant operational and reputational damage. The breach of root credentials could also facilitate further attacks within the network, such as lateral movement or deployment of ransomware. Since the vulnerability requires authenticated access, insider threats or compromised credentials pose a direct risk. The lack of current public exploits reduces immediate widespread impact but does not eliminate the threat, especially in targeted attacks against organizations using these devices.

To mitigate this vulnerability, organizations should first verify if their Buffalo TeraStation NAS TS5400R devices are running affected firmware versions (4.02-0.06 or earlier). Since no official patches are currently available, administrators should restrict access to the webserver interface to trusted users only, ideally through network segmentation and firewall rules limiting access to management interfaces. Implement strong authentication mechanisms and enforce strict password policies to reduce the risk of credential compromise. Disable or restrict the ability to upload and execute PHP or other scripts via the web interface if possible. Monitor device logs for suspicious upload or execution activities. Regularly audit file permissions on critical system files like /etc/shadow to ensure they are not world-readable. Finally, maintain close communication with Buffalo for firmware updates or official patches addressing this vulnerability and apply them promptly once released.