CVE-2026-33280

Critical

Published: 27 March 2026

Published

27 March 2026

Modified

31 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Hidden functionality issue exists in BUFFALO Wi-Fi router products, which may allow an attacker to gain access to the product’s debugging functionality, resulting in the execution of arbitrary OS commands.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely remediation of flaws through firmware patching directly eliminates the hidden debugging functionality exploited for arbitrary OS command execution.

CM-7 Least Functionality good match

prevent

Configuring the router to disable non-essential debugging capabilities prevents unauthorized access to command execution features.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Identifying and prohibiting unauthenticated access to sensitive functions like debugging ensures no hidden capabilities are exploitable without authorization.

Security SummaryAI

CVE-2026-33280 is a hidden functionality vulnerability (CWE-912) present in BUFFALO Wi-Fi router products. Published on 2026-03-27, it allows attackers to access the product's debugging functionality, which may result in the execution of arbitrary OS commands. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for severe impact.

A remote attacker with network access can exploit this vulnerability without authentication, privileges, or user interaction. Exploitation involves low complexity and leads to high confidentiality, integrity, and availability impacts, enabling full compromise of the affected router through arbitrary OS command execution.

Advisories detailing mitigations and patches are available from JVN at https://jvn.jp/en/jp/JVN83788689/ and Buffalo at https://www.buffalo.jp/news/detail/20260323-01.html. Security practitioners should review these sources for specific firmware updates, configuration changes, or other remediation steps applicable to affected products.

Details

CWE(s): CWE-912

Affected Products

buffalo

wcr-1166dhpl firmware

≤ 1.01

buffalo

wsr3600be4-kh firmware

≤ 6.02

buffalo

wsr3600be4p firmware

≤ 5.02

buffalo

wxr-1750dhp firmware

≤ 2.63

buffalo

wxr-1750dhp2 firmware

≤ 2.63

buffalo

wxr18000be10p firmware

≤ 5.03

buffalo

wxr-1900dhp firmware

≤ 2.53

buffalo

wxr-1900dhp2 firmware

≤ 2.62

buffalo

wxr-1900dhp3 firmware

≤ 2.66

buffalo

wxr-5950ax12 firmware

≤ 3.57

+36 more product configuration(s) — see NVD for full list

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

Remote unauthenticated exploitation of public-facing Wi-Fi router debugging functionality enables arbitrary OS command execution, directly mapping to Exploit Public-Facing Application (T1190) and Network Device CLI (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://jvn.jp/en/jp/JVN83788689/
Third Party Advisory · vultures@jpcert.or.jp
https://www.buffalo.jp/news/detail/20260323-01.html
Vendor Advisory · vultures@jpcert.or.jp