The vulnerability identified as CVE-2026-29516 affects Buffalo TeraStation NAS TS5400R devices running firmware version 4.02-0.06 and prior. It is classified under CWE-732, indicating incorrect permission assignment for a critical resource. Specifically, the vulnerability arises because the /etc/shadow file, which stores hashed passwords for all system accounts including root, is assigned world-readable permissions due to a flaw in the firmware. An authenticated attacker can exploit this by uploading and executing a PHP file through the device's webserver interface. This PHP file can then read the /etc/shadow file, exposing sensitive password hashes. The vulnerability requires the attacker to have valid credentials (authenticated access) but does not require user interaction or elevated privileges beyond authentication. The CVSS 4.0 base score is 6.9 (medium severity), reflecting network attack vector, low attack complexity, no user interaction, and high impact on confidentiality. The vulnerability does not affect availability or integrity directly but poses a significant risk of credential compromise, which can lead to further unauthorized access or lateral movement within networks. No patches or exploit code are currently publicly available, and no known active exploitation has been reported. However, the exposure of password hashes, especially for the root account, represents a critical security risk if leveraged by attackers.

The primary impact of this vulnerability is the compromise of confidentiality of user credentials on affected Buffalo TeraStation NAS devices. By exposing the /etc/shadow file, attackers can obtain hashed passwords for all system accounts, including the highly privileged root account. If attackers succeed in cracking these hashes, they can gain unauthorized administrative access to the NAS device, potentially leading to data theft, data manipulation, or disruption of NAS services. This could also serve as a foothold for further attacks within an organization's internal network, especially if the NAS device is integrated with other critical systems or stores sensitive data. The vulnerability affects organizations that rely on Buffalo TeraStation NAS TS5400R for storage, backup, or file sharing, particularly in sectors with high data sensitivity such as finance, healthcare, government, and enterprise IT. The medium severity rating indicates a significant risk but requires authenticated access, which somewhat limits the attack surface. However, given the critical nature of the compromised data and potential for privilege escalation, the impact can be severe if exploited.

1. Immediate mitigation should include restricting access to the NAS webserver interface to trusted networks and users only, minimizing the risk of unauthorized authentication. 2. Implement strong, unique passwords for all NAS accounts to reduce the likelihood of credential compromise. 3. Monitor and audit authentication logs on the NAS device for suspicious login attempts or unusual activity. 4. Disable or restrict the ability to upload and execute PHP files or any executable scripts through the webserver interface if possible. 5. If available, apply firmware updates or patches from Buffalo addressing this vulnerability as soon as they are released. 6. In absence of patches, consider isolating the affected NAS devices from critical network segments to limit potential lateral movement. 7. Employ network-level protections such as firewalls and intrusion detection/prevention systems to detect and block anomalous webserver activity. 8. Regularly back up NAS data and verify backup integrity to ensure recovery capability in case of compromise. 9. Conduct password hash audits and enforce password complexity policies to mitigate the risk of hash cracking. 10. Engage with Buffalo support for guidance and updates regarding this vulnerability.