Cyber Resilience

CVE-2025-26167

High

Published: 06 March 2025

Published
06 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0018 38.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26167 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).

Deeper analysis

CVE-2025-26167 is an arbitrary file read vulnerability affecting the Buffalo LS520D NAS device running firmware version 4.53. The flaw resides in the NAS web UI, enabling attackers to access and read arbitrary internal files without authentication.

Unauthenticated attackers with network access can exploit this vulnerability remotely with low complexity and no user interaction required. Exploitation allows reading of sensitive internal files, resulting in high confidentiality impact but no integrity or availability disruption, as reflected in its CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and mapping to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).

Advisories detailing the issue, including potential mitigations, are available from SpikeReply at https://github.com/SpikeReply/advisories/blob/0f15f5aefb959fbaff049da7cc3e36733e25b580/cve/buffalo/cve-2025-26167.md. The CVE was published on 2025-03-06.

EU & UK References

Vulnerability details

Buffalo LS520D 4.53 is vulnerable to Arbitrary file read, which allows unauthenticated attackers to access the NAS web UI and read arbitrary internal files.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Arbitrary unauthenticated file read in public-facing NAS web UI directly enables exploitation of public-facing applications (T1190) and collection of sensitive data from the local system (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22973Shared CWE-200
CVE-2024-43707Shared CWE-200
CVE-2024-13606Shared CWE-200
CVE-2024-13622Shared CWE-200
CVE-2024-13611Shared CWE-200
CVE-2024-13600Shared CWE-200
CVE-2024-55272Shared CWE-200
CVE-2024-13568Shared CWE-200
CVE-2024-13638Shared CWE-200
CVE-2025-24253Shared CWE-200

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely application of firmware patches to remediate the arbitrary file read vulnerability in Buffalo LS520D firmware 4.53.

prevent

Enforces approved authorizations to block unauthenticated remote access to arbitrary internal files via the NAS web UI.

prevent

Limits public access to web UI resources, preventing unauthorized exposure of sensitive internal files without authentication.

References