Published:2020/09/11  Last Updated:2020/09/11

Multiple vulnerabilities in Buffalo AirStation WHR-G54S


Buffalo AirStation WHR-G54S contains multiple vulnerabilities.

Products Affected

  • WHR-G54S firmware 1.43 and earlier


Buffalo AirStation WHR-G54S contains multiple vulnerabilities listed below.

  • Directory Traversal - CVE-2020-5605
    CVSS v3 CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Base Score: 4.1
    CVSS v2 AV:A/AC:L/Au:S/C:P/I:N/A:N Base Score: 2.7
  • Cross-site Scripting - CVE-2020-5606
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1
    CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6


  • An attacker who is logged in to the product may access sensitive information such as setting values - CVE-2020-5605
  • When a user who is logged in to the product accesses a specially crafted page, an arbitrary script may be executed on the user's web browser - CVE-2020-5606


Apply a workaround
Applying the following workarounds may mitigate the impacts of these vulnerabilities.

  • Log off when the setting screen is not being used
    • This product is designed to log off automatically when the setting screen is not operated for 5 minutes
  • Do not check other web pages while logged in to the setting screen
  • Change the default password
Do not use the product
According to the developer, the product is no longer supported and it is recommended for the users to use alternative products.
Please refer to the information provided by the developer for more details.

Vendor Status

Vendor Status Last Update Vendor Notes
BUFFALO INC. Vulnerable 2020/09/11 BUFFALO INC. website
Vendor Link
BUFFALO INC. DLPA Recommended Routers


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC


RyotaK reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2020-5605
JVN iPedia JVNDB-2020-000063