{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32678", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-03-25T06:25:32.059Z", "datePublished": "2026-03-27T05:25:19.851Z", "dateUpdated": "2026-03-27T05:25:19.851Z"}, "containers": {"cna": {"affected": [{"vendor": "BUFFALO INC.", "product": "BUFFALO Wi-Fi router products", "versions": [{"version": "See \"References\" section", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "Authentication bypass issue exists in BUFFALO Wi-Fi router products, which may allow an attacker to alter critical configuration settings without authentication."}], "problemTypes": [{"descriptions": [{"description": "Authentication Bypass Using an Alternate Path or Channel", "lang": "en-US", "cweId": "CWE-288", "type": "CWE"}]}], "references": [{"url": "https://www.buffalo.jp/news/detail/20260323-01.html"}, {"url": "https://jvn.jp/en/jp/JVN83788689/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-03-27T05:25:19.851Z"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authentication bypass issue exists in BUFFALO Wi-Fi router products, which may allow an attacker to alter critical configuration settings without authentication."}], "id": "CVE-2026-32678", "lastModified": "2026-03-27T06:16:38.650", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-03-27T06:16:38.650", "references": [{"source": "vultures@jpcert.or.jp", "url": "https://jvn.jp/en/jp/JVN83788689/"}, {"source": "vultures@jpcert.or.jp", "url": "https://www.buffalo.jp/news/detail/20260323-01.html"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T07:50:45.395049+00:00", "value": {"mitigation_remediation": ["Visit the Buffalo support site and download the latest firmware update that addresses the authentication bypass issue.", "Apply the firmware update following the vendor\u2019s installation instructions.", "After updating, change the default administrative credentials to a strong, unique password.", "If remote management is enabled, restrict access to trusted IP addresses or disable it entirely unless a specific need exists."], "summary": {"action": "Patch Now", "impact": "Unauthorized configuration change"}, "threat_synthesis": {"affected_systems": "The affected devices are Buffalo Wi\u2011Fi router products distributed by Buffalo Inc. No specific firmware versions are listed, so all models that have not applied a firmware update which addresses this issue are potentially vulnerable.", "description_and_impact": "The vulnerability is an authentication bypass that permits an attacker to modify critical configuration settings on Buffalo Wi\u2011Fi routers without providing valid credentials. The official description states that such an attacker can alter configuration without authentication, which directly threatens the integrity of the device\u2019s network settings and potentially its overall security posture.", "risk_and_exploitability": "The CVSS score of 8.7 indicates a high severity vulnerability. Because the flaw does not require any authentication, the likely attack vector is remote, as an attacker could send crafted traffic over the network to the router. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, but the high severity and remote nature of the exploitability warrant immediate action to mitigate the risk of unauthorized configuration changes."}}}}, "created": "2026-03-27T09:22:13.400070+00:00", "title": "Authentication Bypass in Buffalo Wi\u2011Fi Routers Allowing Unauthorized Configuration Changes", "updated": "2026-03-27T09:22:13.400094+00:00", "vendors": []}