#VU124653 OS Command Injection in BUFFALO INC. products - CVE-2026-27650

Vulnerability identifier: #VU124653

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-27650

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
WAPM-2133TR
WAPM-AX4R
WAPM-AX8R
WAPM-AXETR
WAPS-1266
WAPS-AX4
FS-M1266
FS-S1266
WCR-1166DHPL
WSR3600BE4-KH
WSR3600BE4P
WXR-1750DHP
WXR-1750DHP2
WXR18000BE10P
WXR-1900DHP
WXR-1900DHP2
WXR-1900DHP3
WXR-5950AX12
WXR-6000AX12B
WXR-6000AX12P
WXR-6000AX12S
WZR-1166DHP
WZR-1166DHP2
WZR-1750DHP
WZR-1750DHP2
WZR-S1750DHP
WRM-D2133HP
WRM-D2133HS
WTR-M2133HP
WTR-M2133HS
WEM-1266
WEM-1266WP
VR-U300W
VR-U500X
WAPM-1266R
WAPM-1266WDPR
WAPM-1266WDPRA
WAPM-1750D
WAPM-2133R

Software vendor:
BUFFALO INC.

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install updates from vendor's website.

• https://jvn.jp/en/jp/JVN83788689/index.html
• https://www.buffalo.jp/news/detail/20260323-01.html