CVE-2026-29516 in TeraStation NAS TS5400R
Summary
by MITRE • 03/16/2026
Buffalo TeraStation NAS TS5400R firmware version 4.02-0.06 and prior contain an excessive file permissions vulnerability that allows authenticated attackers to read the /etc/shadow file by uploading and executing a PHP file through the webserver. Attackers can exploit world-readable permissions on /etc/shadow to retrieve hashed passwords for all configured accounts including root.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability identified as CVE-2026-29516 affects Buffalo TeraStation NAS TS5400R devices running firmware versions 4.02-0.06 and earlier, representing a critical access control flaw that undermines the fundamental security posture of network-attached storage systems. This issue stems from improper file permission configurations within the device's filesystem, creating a pathway for authenticated attackers to escalate privileges and extract sensitive credential information. The vulnerability specifically targets the /etc/shadow file which contains hashed passwords for all user accounts including administrative privileges, making it a prime target for attackers seeking persistent access to the system.
The technical exploitation mechanism involves a multi-stage attack vector that begins with authentication to the device's web interface followed by the upload and execution of a malicious PHP script. This approach leverages the web server's inadequate permission controls to bypass normal access restrictions, allowing attackers to read files that should normally be restricted to privileged users only. The underlying flaw demonstrates poor privilege separation and inadequate file system security controls, as the /etc/shadow file is configured with world-readable permissions when it should be accessible only to root and specific system processes. This configuration violates fundamental security principles and creates an implicit trust model that fails to enforce proper access controls.
The operational impact of this vulnerability extends beyond simple credential theft, as the extracted password hashes provide attackers with comprehensive access to all user accounts on the system. The root account credentials obtained through this method could enable complete system compromise, allowing attackers to modify configurations, install malicious software, or establish persistent backdoors. Network administrators face significant risk when such vulnerabilities exist, as they can lead to unauthorized data access, system takeover, and potential lateral movement within network environments where the affected NAS devices are deployed. The vulnerability also increases the attack surface for broader network compromises, particularly in environments where NAS devices serve as central storage points for sensitive corporate data.
Mitigation strategies should prioritize immediate firmware updates to versions that address the permission configuration issues, while also implementing additional security controls such as network segmentation to limit access to NAS devices and monitoring for unauthorized PHP file uploads. Security teams must conduct comprehensive assessments of their NAS deployments to identify similar permission vulnerabilities across other network devices and implement principle of least privilege configurations for all system files. The vulnerability aligns with CWE-732, which addresses inadequate permission settings, and represents a clear violation of ATT&CK technique T1003.008 related to credential dumping through file system access. Organizations should also consider implementing intrusion detection systems to monitor for suspicious file upload activities and establish regular security audits to identify and remediate similar access control weaknesses across their infrastructure.