Primary

Context

Buffalo LinkStation Username Enumeration Vulnerability via Insecure Direct Object Reference

Vulnerability

A vulnerability in Buffalo LinkStation firmware version 1.85-0.01 allows unauthenticated or guest-level users to enumerate valid usernames and their associated privilege roles. This issue is caused by improper access control in the '/nasapi' endpoint, which enables exploitation through Insecure Direct Object Reference (IDOR).

Impact

This vulnerability allows guest users to enumerate usernames, retrieve associated privilege roles, and access additional user metadata such as user IDs, categories, descriptions, quotas, and group information.

Remediation

Buffalo has acknowledged the vulnerability but will not release a patch. It is recommended to disable the guest user account to prevent unauthorized access.

Added: Apr 20, 2026, 5:56 PM

Updated: Apr 20, 2026, 5:56 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.6

remediation

0.0

relevance

6.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.6

remediation

0.0

relevance

6.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Buffalo LinkStation Username Enumeration Vulnerability via Insecure Direct Object Reference

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating