CVE-2026-32326
Authentication Bypass in SHARP Router Web APIs Enables Takeover
Publication date: 2026-03-25
Last updated on: 2026-03-25
Assigner: JPCERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ntt_docomo | home_5g_hr01 | to 38JP_0_490 (inc) |
| ntt_docomo | home_5g_hr02 | to S5.A1.00 (inc) |
| ntt_docomo | wi-fi_station_sh-52a | to 38JP_2_03J (inc) |
| ntt_docomo | wi-fi_station_sh-52b | to S3.87.15 (inc) |
| ntt_docomo | wi-fi_station_sh-54c | to S6.64.00 (inc) |
| softbank | 5g_mobile_router_sh-u01 | to S4.48.00 (inc) |
| softbank | pocket_wifi_5g_a503sh | to S7.41.00 (inc) |
| kddi | speed_wi-fi_5g_x01 | to 3RJP_2_03I (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects certain SHARP routers used by NTT DOCOMO, SoftBank, and KDDI. Some web APIs on these routers do not require authentication, which allows unauthorized users to retrieve device information.
Since the initial administrative password of the device is partially based on this exposed device information, if the default password remains unchanged, attackers can potentially gain unauthorized access to the device.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'The vulnerability can lead to unauthorized retrieval of sensitive device information through unauthenticated web APIs.'}, {'type': 'paragraph', 'content': "If the device's administrative password is left as the default initial password, attackers may take over the device, potentially compromising its security and functionality."}] [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves certain SHARP routers whose web APIs do not require authentication, allowing unauthorized retrieval of device information. Detection involves checking if the device exposes such unauthenticated web APIs.'}, {'type': 'paragraph', 'content': "To detect this on your network or system, you can attempt to access the router's web API endpoints without authentication and observe if device information is returned."}, {'type': 'paragraph', 'content': "For example, you might use commands like curl or wget to query the router's API URLs and check for responses containing device information without providing credentials."}, {'type': 'list_item', 'content': 'curl http://[router_ip]/api/device_info'}, {'type': 'list_item', 'content': 'wget -qO- http://[router_ip]/api/device_info'}, {'type': 'paragraph', 'content': 'If these commands return device information without requiring authentication, the device is vulnerable.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the router firmware to the latest version that addresses this vulnerability.
If your device is one of the models for which firmware updates are no longer provided (such as Wi-Fi STATION SH-52A and Speed Wi-Fi 5G X01), you should manually change the default administrative password via the routerβs web-based Settings Tool.
Additionally, ensure that the administrative password is not left as the initial default password to prevent unauthorized access.
For devices with automatic updates enabled, verify that the latest patches have been applied.