CVE-2026-27650

Home/CVE/OS Command Injection vulnerability exists in BUFFALO Wi-Fi router products. If this vulnerability is exploited, an arbit

CVE

OS Command Injection vulnerability exists in BUFFALO Wi-Fi router products. If this vulnerability is exploited, an arbit

OS Command Injection vulnerability exists in BUFFALO Wi-Fi router products. If this vulnerability is exploited, an arbitrary OS command may be executed on the products.

CRITICAL · CVSS 9.8 EPSS 0.00082

Schedule remediation

SSVC automatable: yes - attacks can be scripted at scale
CVSS base score ≥ 7.0

Sigma rules0 YARA rules0

⬡

Weakness Classification

CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

▤

Affected Products & Versions

buffalo wcr-1166dhpl firmware< 1.01
buffalo wsr3600be4-kh firmware< 6.02
buffalo wsr3600be4p firmware< 5.02
buffalo wxr-1750dhp firmware< 2.63
buffalo wxr-1750dhp2 firmware< 2.63
buffalo wxr18000be10p firmware< 5.03
buffalo wxr-1900dhp firmware< 2.53
buffalo wxr-1900dhp2 firmware< 2.62
Show all 46 affected productsbuffalo wxr-1900dhp3 firmware< 2.66
buffalo wxr-5950ax12 firmware< 3.57
buffalo wxr-6000ax12b firmware< 3.57
buffalo wxr-6000ax12p firmware< 3.57
buffalo wxr-6000ax12s firmware< 3.57
buffalo wzr-1166dhp firmware< 2.20
buffalo wzr-1166dhp2 firmware< 2.20
buffalo wzr-1750dhp firmware< 2.32
buffalo wzr-1750dhp2 firmware< 2.33
buffalo wzr-s1750dhp firmware< 2.34
buffalo wrm-d2133hp firmware< 3.01
buffalo wrm-d2133hs firmware< 3.01
buffalo wtr-m2133hp firmware< 3.01
buffalo wtr-m2133hs firmware< 3.01
buffalo wem-1266 firmware< 2.87
buffalo wem-1266wp firmware< 2.87
buffalo vr-u300w firmware< 1.42
buffalo vr-u500x firmware< 1.42
buffalo wapm-1266r firmware< 1.42
buffalo wapm-1266wdpr firmware< 1.42
buffalo wapm-1266wdpra firmware< 1.42
buffalo wapm-1750d firmware< 1.07
buffalo wapm-2133r firmware< 1.42
buffalo wapm-2133tr firmware< 1.42
buffalo wapm-ax4r firmware< 1.42
buffalo wapm-ax8r firmware< 1.42
buffalo wapm-axetr firmware< 1.42
buffalo waps-1266 firmware< 1.42
buffalo waps-ax4 firmware< 1.42
buffalo fs-m1266 firmware< 4.13
buffalo fs-s1266 firmware< 4.13
buffalo wzr-600dhp firmwareall versions
buffalo wzr-600dhp2 firmwareall versions
buffalo wzr-600dhp3 firmwareall versions
buffalo wzr-900dhp firmwareall versions
buffalo wzr-900dhp2 firmwareall versions
buffalo wzr-s600dhp firmwareall versions
buffalo wzr-s900dhp firmwareall versions

▣

Scoring & Timeline

9.8

CRITICAL · CVSS v3.1 · vultures@jpcert.or.jp

View on NVD

Attack Vector

Network Adjacent Local Physical

Attack Complexity

Low High

Privileges Required

None Low High

User Interaction

None Required

Scope

Unchanged Changed

Confidentiality

None Low High

Integrity

None Low High

Availability

None Low High

Published to NVD27 Mar 2026 · 06:16 AM

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC triage · cisa-vulnrichment

Exploitation

none

Automatable

yes

Technical impact

total

SSVC asks the questions that actually drive patch urgency: is it being exploited, can attacks be automated, and how total is the impact.

🔗

References & Sources

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

https://jvn.jp/en/jp/JVN83788689/Third Party Advisory

https://www.buffalo.jp/news/detail/20260323-01.htmlVendor Advisory

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

NVD CVE.org CISA Vulners Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin