Cyber Resilience

CVE-2026-32669

HighRCE

Published: 27 March 2026

Published
27 March 2026
Modified
31 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0027 17.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32669 is a high-severity Code Injection (CWE-94) vulnerability in Buffalo Wcr-1166Dhpl Firmware. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-32669 is a code injection vulnerability (CWE-94) present in BUFFALO Wi-Fi router products. If exploited, it allows arbitrary code execution on the affected products. The vulnerability received a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its high impact potential.

Remote attackers can exploit this vulnerability over the network with low complexity, without requiring authentication, privileges, or user interaction. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, enabling full compromise of the router, such as persistent control or further network pivoting.

Mitigation guidance is detailed in advisories published by JVN at https://jvn.jp/en/jp/JVN83788689/ and Buffalo at https://www.buffalo.jp/news/detail/20260323-01.html.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Code injection vulnerability exists in BUFFALO Wi-Fi router products. If this vulnerability is exploited, an arbitrary code may be executed on the products.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated code injection (CWE-94) in Buffalo router web/management interface directly enables T1190 Exploit Public-Facing Application for arbitrary code execution and full device compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33280Same product: Buffalo Fs-M1266
CVE-2026-32678Same product: Buffalo Fs-M1266
CVE-2026-27650Same product: Buffalo Fs-M1266
CVE-2026-41229Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2026-40563Shared CWE-94
CVE-2024-32641Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-2052Shared CWE-94
CVE-2026-9170Shared CWE-94

Affected Assets

buffalo
wcr-1166dhpl firmware
≤ 1.01
buffalo
wsr3600be4-kh firmware
≤ 6.02
buffalo
wsr3600be4p firmware
≤ 5.02
buffalo
wxr-1750dhp firmware
≤ 2.63
buffalo
wxr-1750dhp2 firmware
≤ 2.63
buffalo
wxr18000be10p firmware
≤ 5.03
buffalo
wxr-1900dhp firmware
≤ 2.53
buffalo
wxr-1900dhp2 firmware
≤ 2.62
buffalo
wxr-1900dhp3 firmware
≤ 2.66
buffalo
wxr-5950ax12 firmware
≤ 3.57
+36 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the code injection vulnerability by identifying, reporting, and patching the specific flaw in BUFFALO Wi-Fi router firmware as per vendor advisories.

prevent

Prevents code injection attacks like CVE-2026-32669 by validating all external information inputs to the router's services.

prevent

Mitigates exploitation of the code injection vulnerability by implementing memory protections such as non-executable stacks or ASLR on the router.

References