Cyber Resilience

CVE-2026-33280

High

Published: 27 March 2026

Published
27 March 2026
Modified
31 March 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0038 29.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33280 is a high-severity Hidden Functionality (CWE-912) vulnerability in Buffalo Wcr-1166Dhpl Firmware. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-33280 is a hidden functionality vulnerability (CWE-912) present in BUFFALO Wi-Fi router products. Published on 2026-03-27, it allows attackers to access the product's debugging functionality, which may result in the execution of arbitrary OS commands. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for severe impact.

A remote attacker with network access can exploit this vulnerability without authentication, privileges, or user interaction. Exploitation involves low complexity and leads to high confidentiality, integrity, and availability impacts, enabling full compromise of the affected router through arbitrary OS command execution.

Advisories detailing mitigations and patches are available from JVN at https://jvn.jp/en/jp/JVN83788689/ and Buffalo at https://www.buffalo.jp/news/detail/20260323-01.html. Security practitioners should review these sources for specific firmware updates, configuration changes, or other remediation steps applicable to affected products.

EU & UK References

Vulnerability details

Hidden functionality issue exists in BUFFALO Wi-Fi router products, which may allow an attacker to gain access to the product’s debugging functionality, resulting in the execution of arbitrary OS commands.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

Remote unauthenticated exploitation of public-facing Wi-Fi router debugging functionality enables arbitrary OS command execution, directly mapping to Exploit Public-Facing Application (T1190) and Network Device CLI (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32669Same product: Buffalo Fs-M1266
CVE-2026-32678Same product: Buffalo Fs-M1266
CVE-2026-27650Same product: Buffalo Fs-M1266
CVE-2024-39754Shared CWE-912
CVE-2026-1952Shared CWE-912
CVE-2026-3587Shared CWE-912
CVE-2010-20103Shared CWE-912
CVE-2025-0626Shared CWE-912
CVE-2025-48418Shared CWE-912
CVE-2026-30704Shared CWE-912

Affected Assets

buffalo
wcr-1166dhpl firmware
≤ 1.01
buffalo
wsr3600be4-kh firmware
≤ 6.02
buffalo
wsr3600be4p firmware
≤ 5.02
buffalo
wxr-1750dhp firmware
≤ 2.63
buffalo
wxr-1750dhp2 firmware
≤ 2.63
buffalo
wxr18000be10p firmware
≤ 5.03
buffalo
wxr-1900dhp firmware
≤ 2.53
buffalo
wxr-1900dhp2 firmware
≤ 2.62
buffalo
wxr-1900dhp3 firmware
≤ 2.66
buffalo
wxr-5950ax12 firmware
≤ 3.57
+36 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely remediation of flaws through firmware patching directly eliminates the hidden debugging functionality exploited for arbitrary OS command execution.

prevent

Configuring the router to disable non-essential debugging capabilities prevents unauthorized access to command execution features.

prevent

Identifying and prohibiting unauthenticated access to sensitive functions like debugging ensures no hidden capabilities are exploitable without authorization.

References