Skip to main content

Buffalo Wi Fi Router Products CVE-2026-27650

| EUVDEUVD-2026-16543 HIGH
OS Command Injection (CWE-78)
2026-03-27 jpcert
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Mar 27, 2026 - 06:00 euvd
EUVD-2026-16543
Analysis Generated
Mar 27, 2026 - 06:00 vuln.today
CVE Published
Mar 27, 2026 - 05:24 nvd
HIGH 8.6

DescriptionCVE.org

OS Command Injection vulnerability exists in BUFFALO Wi-Fi router products. If this vulnerability is exploited, an arbitrary OS command may be executed on the products.

AnalysisAI

Remote OS command injection in BUFFALO Wi-Fi router products allows unauthenticated attackers to execute arbitrary operating system commands with user interaction required. The vulnerability affects multiple BUFFALO Wi-Fi router models as confirmed by CPE designation and carries a CVSS score of 8.8 (High severity). While attack complexity is low and no privileges are required, successful exploitation depends on user interaction, reducing immediate attack surface. No public exploit identified at time of analysis, and exploitation probability metrics are not available in provided intelligence.

Technical ContextAI

This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS command injection. The affected technology comprises BUFFALO Inc.'s Wi-Fi router product line (CPE: cpe:2.3:a:buffalo_inc.:buffalo_wi-fi_router_products). Command injection occurs when an application passes unsafe user-supplied data to a system shell without proper validation or sanitization, allowing attackers to inject shell metacharacters and execute arbitrary commands with the privileges of the vulnerable process. In network devices like routers, this typically manifests through web management interfaces, configuration APIs, or network service handlers that fail to sanitize input parameters before passing them to underlying system calls or shell commands.

RemediationAI

Consult the official BUFFALO security advisory at https://www.buffalo.jp/news/detail/20260323-01.html for model-specific firmware updates and patch deployment instructions. The vendor advisory published March 23, 2026, contains detailed remediation guidance including affected firmware versions and patched release information. Until firmware updates can be applied, implement defense-in-depth measures including: restricting router management interface access to trusted internal networks only (disable WAN-side administration), implementing strong administrator credentials, educating administrators about phishing and social engineering risks given the UI:R requirement, and monitoring router logs for suspicious command execution patterns. Additional technical details and mitigation recommendations are available in the JVN advisory at https://jvn.jp/en/jp/JVN83788689/ published by JPCERT.

Share

CVE-2026-27650 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy