[Japanese]

JVNDB-2026-000043

SHARP routers missing authentication for some web APIs

Overview

SHARP routers do not perform authentication for some web APIs.
Those web APIs provide device information, and the initial administrative password is based on a part of the device information.
  • Missing authentication for critical function (CWE-306) - CVE-2026-32326
Shota Zaizen reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.7 (Medium) [IPA Score]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None
CVSS v4 Severity
Base Metrics: 6.9 (Medium) [IPA Score]
  • Access Vector (AV): Adjacent NetworkNetwork
  • Attack Complexity (AC): Low
  • Attack Requirements (AT): None
  • Privileges Required (PR): Low
  • User Interaction (UI): None
    • Vulnerable System Impact
  • Confidentiality Impact (VC): High
  • Integrity Impact (VI): None
  • Availability Impact (VA): None
    • Subsequent System Impact
  • Confidentiality Impact (SC): None
  • Integrity Impact (SI): None
  • Availability Impact (SA): None
Affected Products


KDDI
  • Speed Wi-Fi 5G X01 versions 3RJP_2_03I and earlier
SoftBank
  • 5G Mobile Router SH-U01 versions S4.48.00 and earlier
  • Pocket WiFi 5G A503SH versions S7.41.00 and earlier
NTT DOCOMO, INC.
  • home 5G HR01 versions 38JP_0_490 and earlier
  • home 5G HR02 versions S5.A1.00 and earlier
  • Wi-Fi STATION SH-52A versions 38JP_2_03J and earlier
  • Wi-Fi STATION SH-52B versions S3.87.15 and earlier
  • Wi-Fi STATION SH-54C versions S6.64.00 and earlier

Impact

The device information may be retrieved without authentication.
If the administrative password of the device is left as the initial one, the device may be vulnerable to unauthorized access.
Solution

[Update the firmware]
Update the firmware to the latest version.

Note that the support service for Wi-Fi STATION SH-52A and Speed Wi-Fi 5G X01 have been discontinued, and no further updates will be provided.
The developer recommends the users to apply the workaround.

For more information, refer to the information provided by the developer.
Vendor Information

KDDI Sharp Corporation SoftBank NTT DOCOMO, INC.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2026-32326
References

  1. JVN : JVN#49524110
Revision History

  • [2026/03/25]
      Web page was published

Date Public2026/03/25
Date First Published2026/03/25
Date Last Updated2026/03/25