CVE-2026-33366
Received Received - Intake
Missing Authentication Allows Unauthorized Reboot in BUFFALO Routers

Publication date: 2026-03-27

Last updated on: 2026-03-31

Assigner: JPCERT/CC

Description
Missing authentication for critical function vulnerability in BUFFALO Wi-Fi router products may allow an attacker to forcibly reboot the product without authentication.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-33366
EUVD
EUVD-2026-16551
Affected Vendors & Products
Showing 46 associated CPEs
Vendor Product Version / Range
buffalo wcr-1166dhpl_firmware to 1.01 (exc)
buffalo wsr3600be4-kh_firmware to 6.02 (exc)
buffalo wsr3600be4p_firmware to 5.02 (exc)
buffalo wxr-1750dhp_firmware to 2.63 (exc)
buffalo wxr-1750dhp2_firmware to 2.63 (exc)
buffalo wxr18000be10p_firmware to 5.03 (exc)
buffalo wxr-1900dhp_firmware to 2.53 (exc)
buffalo wxr-1900dhp2_firmware to 2.62 (exc)
buffalo wxr-1900dhp3_firmware to 2.66 (exc)
buffalo wxr-5950ax12_firmware to 3.57 (exc)
buffalo wxr-6000ax12b_firmware to 3.57 (exc)
buffalo wxr-6000ax12p_firmware to 3.57 (exc)
buffalo wxr-6000ax12s_firmware to 3.57 (exc)
buffalo wzr-1166dhp_firmware to 2.20 (exc)
buffalo wzr-1166dhp2_firmware to 2.20 (exc)
buffalo wzr-1750dhp_firmware to 2.32 (exc)
buffalo wzr-1750dhp2_firmware to 2.33 (exc)
buffalo wzr-s1750dhp_firmware to 2.34 (exc)
buffalo wrm-d2133hp_firmware to 3.01 (exc)
buffalo wrm-d2133hs_firmware to 3.01 (exc)
buffalo wtr-m2133hp_firmware to 3.01 (exc)
buffalo wtr-m2133hs_firmware to 3.01 (exc)
buffalo wem-1266_firmware to 2.87 (exc)
buffalo wem-1266wp_firmware to 2.87 (exc)
buffalo vr-u300w_firmware to 1.42 (exc)
buffalo vr-u500x_firmware to 1.42 (exc)
buffalo wapm-1266r_firmware to 1.42 (exc)
buffalo wapm-1266wdpr_firmware to 1.42 (exc)
buffalo wapm-1266wdpra_firmware to 1.42 (exc)
buffalo wapm-1750d_firmware to 1.07 (exc)
buffalo wapm-2133r_firmware to 1.42 (exc)
buffalo wapm-2133tr_firmware to 1.42 (exc)
buffalo wapm-ax4r_firmware to 1.42 (exc)
buffalo wapm-ax8r_firmware to 1.42 (exc)
buffalo wapm-axetr_firmware to 1.42 (exc)
buffalo waps-1266_firmware to 1.42 (exc)
buffalo waps-ax4_firmware to 1.42 (exc)
buffalo fs-m1266_firmware to 4.13 (exc)
buffalo fs-s1266_firmware to 4.13 (exc)
buffalo wzr-600dhp_firmware *
buffalo wzr-600dhp2_firmware *
buffalo wzr-600dhp3_firmware *
buffalo wzr-900dhp_firmware *
buffalo wzr-900dhp2_firmware *
buffalo wzr-s600dhp_firmware *
buffalo wzr-s900dhp_firmware *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a missing authentication issue in BUFFALO Wi-Fi router products. It allows an attacker to forcibly reboot the router without needing to authenticate, meaning the attacker can trigger a reboot remotely without any credentials.

Impact Analysis

The impact of this vulnerability is that an attacker can cause a denial of service by repeatedly rebooting the router. This disrupts network availability and can interrupt internet connectivity for users relying on the affected device.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33366. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart