{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32669", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-03-25T06:25:33.514Z", "datePublished": "2026-03-27T05:24:52.376Z", "dateUpdated": "2026-03-27T05:24:52.376Z"}, "containers": {"cna": {"affected": [{"vendor": "BUFFALO INC.", "product": "BUFFALO Wi-Fi router products", "versions": [{"version": "See \"References\" section", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "Code injection vulnerability exists in BUFFALO Wi-Fi router products. If this vulnerability is exploited, an arbitrary code may be executed on the products."}], "problemTypes": [{"descriptions": [{"description": "Code injection", "lang": "en-US", "cweId": "CWE-94", "type": "CWE"}]}], "references": [{"url": "https://www.buffalo.jp/news/detail/20260323-01.html"}, {"url": "https://jvn.jp/en/jp/JVN83788689/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-03-27T05:24:52.376Z"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Code injection vulnerability exists in BUFFALO Wi-Fi router products. If this vulnerability is exploited, an arbitrary code may be executed on the products."}], "id": "CVE-2026-32669", "lastModified": "2026-03-27T06:16:38.450", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-03-27T06:16:38.450", "references": [{"source": "vultures@jpcert.or.jp", "url": "https://jvn.jp/en/jp/JVN83788689/"}, {"source": "vultures@jpcert.or.jp", "url": "https://www.buffalo.jp/news/detail/20260323-01.html"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T07:23:14.669074+00:00", "value": {"mitigation_remediation": ["Apply the official firmware update released by Buffalo to address the code injection flaw.", "If an update is not yet available, temporarily block or disable the router\u2019s web management interface from external networks.", "Change the default administrator password to a strong, unique value for all managed devices.", "Configure the router\u2019s firewall to allow management traffic only from trusted IP addresses."], "summary": {"action": "Immediate Patch", "impact": "Remote code execution"}, "threat_synthesis": {"affected_systems": "The affected products are BUFFALO Wi\u2011Fi routers manufactured by BUFFALO INC. No specific firmware or device versions are listed, so any model that incorporates the vulnerable component is potentially at risk.", "description_and_impact": "The vulnerability is a code injection flaw (CWE\u201194) that allows an attacker to execute arbitrary code on BUFFALO Wi\u2011Fi router products. Because the code runs with the privileges of the device, an attacker could compromise the router\u2019s network connectivity, intercept traffic, or use the router as a foothold to reach other systems. This represents a serious breach of confidentiality, integrity, and availability for the affected network.", "risk_and_exploitability": "With a CVSS score of 8.7 the vulnerability is considered high severity. Exploitation is feasible over the internet, likely through the router\u2019s web management interface, and does not require special conditions beyond reaching the interface. Although EPSS data is unavailable and the issue is not listed in KEV, the remote code execution nature warrants high attention and an urgent response."}}}}, "created": "2026-03-27T09:22:14.383277+00:00", "title": "Code Injection Vulnerability in BUFFALO Wi\u2011Fi Router Allowing Arbitrary Code Execution", "updated": "2026-03-27T09:22:14.383300+00:00", "vendors": []}