CVE-2026-33280

Critical

Published: 27 March 2026

Published

27 March 2026

Modified

31 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33280 is a critical-severity Hidden Functionality (CWE-912) vulnerability in Buffalo Wcr-1166Dhpl Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and CM-7 (Least Functionality).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely remediation of flaws through firmware patching directly eliminates the hidden debugging functionality exploited for arbitrary OS command execution.

CM-7 Least Functionality good match

prevent

Configuring the router to disable non-essential debugging capabilities prevents unauthorized access to command execution features.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Identifying and prohibiting unauthenticated access to sensitive functions like debugging ensures no hidden capabilities are exploitable without authorization.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

Remote unauthenticated exploitation of public-facing Wi-Fi router debugging functionality enables arbitrary OS command execution, directly mapping to Exploit Public-Facing Application (T1190) and Network Device CLI (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Hidden functionality issue exists in BUFFALO Wi-Fi router products, which may allow an attacker to gain access to the product’s debugging functionality, resulting in the execution of arbitrary OS commands.

Deeper analysisAI

CVE-2026-33280 is a hidden functionality vulnerability (CWE-912) present in BUFFALO Wi-Fi router products. Published on 2026-03-27, it allows attackers to access the product's debugging functionality, which may result in the execution of arbitrary OS commands. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for severe impact.

A remote attacker with network access can exploit this vulnerability without authentication, privileges, or user interaction. Exploitation involves low complexity and leads to high confidentiality, integrity, and availability impacts, enabling full compromise of the affected router through arbitrary OS command execution.

Advisories detailing mitigations and patches are available from JVN at https://jvn.jp/en/jp/JVN83788689/ and Buffalo at https://www.buffalo.jp/news/detail/20260323-01.html. Security practitioners should review these sources for specific firmware updates, configuration changes, or other remediation steps applicable to affected products.

Details

CWE(s): CWE-912

Affected Products

buffalo

wcr-1166dhpl firmware

≤ 1.01

buffalo

wsr3600be4-kh firmware

≤ 6.02

buffalo

wsr3600be4p firmware

≤ 5.02

buffalo

wxr-1750dhp firmware

≤ 2.63

buffalo

wxr-1750dhp2 firmware

≤ 2.63

buffalo

wxr18000be10p firmware

≤ 5.03

buffalo

wxr-1900dhp firmware

≤ 2.53

buffalo

wxr-1900dhp2 firmware

≤ 2.62

buffalo

wxr-1900dhp3 firmware

≤ 2.66

buffalo

wxr-5950ax12 firmware

≤ 3.57

+36 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2026-32669Same product: Buffalo Fs-M1266

CVE-2026-27650Same product: Buffalo Fs-M1266

CVE-2024-39754Shared CWE-912

CVE-2026-1952Shared CWE-912

CVE-2026-3587Shared CWE-912

CVE-2026-30704Shared CWE-912

CVE-2025-0626Shared CWE-912

CVE-2025-0675Shared CWE-912

CVE-2024-13062Shared CWE-912

CVE-2025-48418Shared CWE-912

References

https://jvn.jp/en/jp/JVN83788689/
Third Party Advisory · vultures@jpcert.or.jp
https://www.buffalo.jp/news/detail/20260323-01.html
Vendor Advisory · vultures@jpcert.or.jp