{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33280", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-03-25T06:25:26.636Z", "datePublished": "2026-03-27T05:25:41.078Z", "dateUpdated": "2026-03-27T19:54:05.856Z"}, "containers": {"cna": {"affected": [{"vendor": "BUFFALO INC.", "product": "BUFFALO Wi-Fi router products", "versions": [{"version": "See \"References\" section", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "Hidden functionality issue exists in BUFFALO Wi-Fi router products, which may allow an attacker to gain access to the product\u2019s debugging functionality, resulting in the execution of arbitrary OS commands."}], "problemTypes": [{"descriptions": [{"description": "Hidden functionality", "lang": "en-US", "cweId": "CWE-912", "type": "CWE"}]}], "references": [{"url": "https://www.buffalo.jp/news/detail/20260323-01.html"}, {"url": "https://jvn.jp/en/jp/JVN83788689/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.6, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-03-27T05:25:41.078Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T19:53:56.292921Z", "id": "CVE-2026-33280", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:54:05.856Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33280", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-27T19:53:56.292921Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:54:01.763Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "BUFFALO INC.", "product": "BUFFALO Wi-Fi router products", "versions": [{"status": "affected", "version": "See \"References\" section"}]}], "references": [{"url": "https://www.buffalo.jp/news/detail/20260323-01.html"}, {"url": "https://jvn.jp/en/jp/JVN83788689/"}], "descriptions": [{"lang": "en", "value": "Hidden functionality issue exists in BUFFALO Wi-Fi router products, which may allow an attacker to gain access to the product\u2019s debugging functionality, resulting in the execution of arbitrary OS commands."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-912", "description": "Hidden functionality"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-03-27T05:25:41.078Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33280", "state": "PUBLISHED", "dateUpdated": "2026-03-27T19:54:05.856Z", "dateReserved": "2026-03-25T06:25:26.636Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2026-03-27T05:25:41.078Z", "assignerShortName": "jpcert"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Hidden functionality issue exists in BUFFALO Wi-Fi router products, which may allow an attacker to gain access to the product\u2019s debugging functionality, resulting in the execution of arbitrary OS commands."}], "id": "CVE-2026-33280", "lastModified": "2026-03-27T06:16:38.837", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-03-27T06:16:38.837", "references": [{"source": "vultures@jpcert.or.jp", "url": "https://jvn.jp/en/jp/JVN83788689/"}, {"source": "vultures@jpcert.or.jp", "url": "https://www.buffalo.jp/news/detail/20260323-01.html"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-912"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T07:22:24.314074+00:00", "value": {"mitigation_remediation": ["Apply the latest firmware update released by Buffalo that removes or disables the hidden debug functionality", "Disable or restrict access to any debugging options in the router\u2019s web interface if the setting is available", "Restrict administrative access to the router to trusted IP addresses or segments using firewall rules or VLAN segmentation", "Monitor router logs for unexpected command execution or unauthorized access attempts", "If an update is not available, isolate the router from critical network segments until a patch can be applied"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all Buffalo Wi\u2011Fi router products distributed by Buffalo Inc. Specific firmware or model numbers are not listed, so any device containing the undocumented debug feature may be vulnerable. Users should review their router\u2019s firmware version and consult the vendor for updates or guidance.", "description_and_impact": "A hidden debug functionality in Buffalo Wi\u2011Fi router products enables the execution of arbitrary operating system commands, providing an attacker with full control of the device. The flaw is described by CWE\u2011912, a weakness that allows remote code execution through untrusted input. Successful exploitation would compromise the router, potentially allowing traffic interception, unauthorized network access, or persistence on the network.", "risk_and_exploitability": "With a CVSS score of 8.6, the vulnerability has a high severity rating, indicating significant impact if exploited. The EPSS score is not available and the flaw is not listed in the CISA KEV catalog, but these omissions do not reduce the potential risk. Based on the description, it is inferred that the debugging interface may be accessed remotely via the router\u2019s management network interface, requiring network connectivity and possibly local administrative credentials. The exploit\u2019s success would grant the attacker high privileges on the device, enabling a range of malicious actions."}}}}, "created": "2026-03-27T09:22:12.452730+00:00", "title": "Debug Functionality Exploitation Leading to Arbitrary OS Command Execution in Buffalo Wi\u2011Fi Routers", "updated": "2026-03-27T09:22:12.452752+00:00", "vendors": []}