[Japanese]

JVNDB-2026-000046

Multiple vulnerabilities in BUFFALO Wi-Fi routers

Overview

Wi-Fi router products provided by BUFFALO INC. contain multiple vulnerabilities listed below.
  • Dependency on vulnerable third-party component (CWE-1395) - This issue is caused by a vulnerability in mini_httpd (CVE-2015-1548).
  • OS command injection (CWE-78) - CVE-2026-27650
  • Code injection (CWE-94) - CVE-2026-32669
  • Authentication bypass using an alternate path or channel (CWE-288) - CVE-2026-32678
  • Hidden functionality (CWE-912) - CVE-2026-33280
  • Missing authentication for critical function (CWE-306) - CVE-2026-33366
CVE-2015-1548
Justus W. Perlwitz of JWP Consulting reported this vulnerability to BUFFALO INC. and coordinated.
After the coordination was completed, BUFFALO INC. reported the case to JPCERT/CC to notify users of the solution through JVN.

CVE-2026-27650
Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2026-32669
Koji Ando and KIRISHIKI Yudai of National Institute of Information and Communications Technology reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2026-32678, CVE-2026-33280, CVE-2026-33366
Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC. JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.8 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS v4 Severity
Base Metrics: 8.6 (High) [IPA Score]
  • Access Vector (AV): Network
  • Attack Complexity (AC): Low
  • Attack Requirements (AT): None
  • Privileges Required (PR): None
  • User Interaction (UI): Active
    • Vulnerable System Impact
  • Confidentiality Impact (VC): High
  • Integrity Impact (VI): High
  • Availability Impact (VA): High
    • Subsequent System Impact
  • Confidentiality Impact (SC): None
  • Integrity Impact (SI): None
  • Availability Impact (SA): None
The above CVSS base scores have been assigned for CVE-2026-27650

CVSS v3 Severity
Base Metrics: 5.3(Medium) [IPA Score]
  • Access Vector : Network
  • Attack Complexity : Low
  • Privileges Required : None
  • User Interaction : None
  • Scope : Unchanged
  • Confidentiality Impact : Low
  • Integrity Impact : None
  • Availability Impact : None
CVSS v4 Severity
Base Metrics: 6.9 (Medium) [IPA Score]
  • Access Vector (AV): Network
  • Attack Complexity (AC): Low
  • Attack Requirements (AT): None
  • Privileges Required (PR): None
  • User Interaction (UI): None
    • Vulnerable System Impact
  • Confidentiality Impact (VC): Low
  • Integrity Impact (VI): None
  • Availability Impact (VA): None
    • Subsequent System Impact
  • Confidentiality Impact (SC): None
  • Integrity Impact (SI): None
  • Availability Impact (SA): None
This issue is caused by a vulnerability in mini_httpd (CVE-2015-1548).

CVSS v3 Severity
Base Metrics: 8.8(High) [IPA Score]
  • Access Vector : Network
  • Attack Complexity : Low
  • Privileges Required : None
  • User Interaction : Required
  • Scope : Unchanged
  • Confidentiality Impact : High
  • Integrity Impact : High
  • Availability Impact : High
CVSS v4 Severity
Base Metrics: 8.7 (High) [IPA Score]
  • Access Vector (AV): Network
  • Attack Complexity (AC): Low
  • Attack Requirements (AT): None
  • Privileges Required (PR): None
  • User Interaction (UI): Passive
    • Vulnerable System Impact
  • Confidentiality Impact (VC): High
  • Integrity Impact (VI): High
  • Availability Impact (VA): High
    • Subsequent System Impact
  • Confidentiality Impact (SC): None
  • Integrity Impact (SI): None
  • Availability Impact (SA): None
The above CVSS base scores have been assigned for CVE-2026-32669

CVSS v3 Severity
Base Metrics: 7.5(High) [IPA Score]
  • Access Vector : Network
  • Attack Complexity : Low
  • Privileges Required : None
  • User Interaction : None
  • Scope : Unchanged
  • Confidentiality Impact : None
  • Integrity Impact : High
  • Availability Impact : None
CVSS v4 Severity
Base Metrics: 8.7 (High) [IPA Score]
  • Access Vector (AV): Network
  • Attack Complexity (AC): Low
  • Attack Requirements (AT): None
  • Privileges Required (PR): None
  • User Interaction (UI): None
    • Vulnerable System Impact
  • Confidentiality Impact (VC): None
  • Integrity Impact (VI): High
  • Availability Impact (VA): None
    • Subsequent System Impact
  • Confidentiality Impact (SC): None
  • Integrity Impact (SI): None
  • Availability Impact (SA): None
The above CVSS base scores have been assigned for CVE-2026-32678

CVSS v3 Severity
Base Metrics: 7.2(High) [IPA Score]
  • Access Vector : Network
  • Attack Complexity : Low
  • Privileges Required : High
  • User Interaction : None
  • Scope : Unchanged
  • Confidentiality Impact : High
  • Integrity Impact : High
  • Availability Impact : High
CVSS v4 Severity
Base Metrics: 8.6 (High) [IPA Score]
  • Access Vector (AV): Network
  • Attack Complexity (AC): Low
  • Attack Requirements (AT): None
  • Privileges Required (PR): High
  • User Interaction (UI): None
    • Vulnerable System Impact
  • Confidentiality Impact (VC): High
  • Integrity Impact (VI): High
  • Availability Impact (VA): High
    • Subsequent System Impact
  • Confidentiality Impact (SC): None
  • Integrity Impact (SI): None
  • Availability Impact (SA): None
The above CVSS base scores have been assigned for CVE-2026-33280

CVSS v3 Severity
Base Metrics: 5.3(Medium) [IPA Score]
  • Access Vector : Network
  • Attack Complexity : Low
  • Privileges Required : None
  • User Interaction : None
  • Scope : Unchanged
  • Confidentiality Impact : None
  • Integrity Impact : None
  • Availability Impact : Low
CVSS v4 Severity
Base Metrics: 6.9 (Medium) [IPA Score]
  • Access Vector (AV): Network
  • Attack Complexity (AC): Low
  • Attack Requirements (AT): None
  • Privileges Required (PR): None
  • User Interaction (UI): None
    • Vulnerable System Impact
  • Confidentiality Impact (VC): None
  • Integrity Impact (VI): None
  • Availability Impact (VA): Low
    • Subsequent System Impact
  • Confidentiality Impact (SC): None
  • Integrity Impact (SI): None
  • Availability Impact (SA): None
The above CVSS base scores have been assigned for CVE-2026-33366
Affected Products


BUFFALO INC.
  • Multiple BUFFALO Wi-Fi router products

For details on affected product names and versions, refer to the information provided by the developer.
Impact

  • Sensitive information may be accessed from process memory (CVE-2015-1548)
  • An arbitrary OS command may be executed on the products (CVE-2026-27650)
  • An arbitrary code may be executed on the products (CVE-2026-32669)
  • An attacker may be able to alter critical configuration settings without authentication (CVE-2026-32678)
  • An attacker may gain access to the product's debugging functionality, resulting in the execution of arbitrary OS commands (CVE-2026-33280)
  • An attacker may be able to forcibly reboot the product without authentication (CVE-2026-33366)
Solution

[Update the firmware]
Update the firmware according to the information provided by the developer.
Vendor Information

BUFFALO INC.
CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [IPA Evaluation]
  2. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2026-27650
  2. CVE-2026-32669
  3. CVE-2026-32678
  4. CVE-2026-33280
  5. CVE-2026-33366
References

  1. JVN : JVN#83788689
Revision History

  • [2026/03/27]
      Web page was published

Date Public2026/03/27
Date First Published2026/03/27
Date Last Updated2026/03/27