Insecure Direct Object Reference (IDOR) in /nasapi allows user enumeration

Apr 09, 2026

Summary

A vulnerability in the /nasapi endpoint of Buffalo NAS devices allows unauthenticated or guest-level users to enumerate valid usernames and their associated privilege roles.

Vulnerability ID	Vulnerability Overview
CVE-2025-66954	By manipulating specific parameters in requests sent to the /nasapi endpoint, an attacker with guest-level access can cause the device to return detailed information about other users, including usernames, user IDs, group memberships, and assigned privilege roles.

Affected Supported TeraStations
All NAS products

Impact:
The following information can be obtained:
Username, User ID, Category, Role, Description, Quota, Groups, Primary Group

Recommended Action:
To mitigate this risk immediately, it is highly recommended to disable the guest user account. This prevents unauthenticated users from accessing the /nasapi endpoint used to trigger the enumeration.

Back to Security Notices

Date	Description
04/09/2026	Initial release

Network Attached Storage

Portable Solid State Drive (SSD)

External Hard Drives

While Supplies Last

Optical Drives

Multi-Gigabit Switches

Accessories

View All

Latest Article

Buffalo Americas Product Life Cycle Status Change Notice - BS-MP2008 & BS-MP2012 Business Switches

Insecure Direct Object Reference (IDOR) in /nasapi allows user enumeration