Published:2025/11/07 Last Updated:2025/11/07
JVN#13754005
Use of password hash with insufficient computational effort vulnerability in BUFFALO Wi-Fi router "WSR-1800AX4 series"
Overview
Wi-Fi router "WSR-1800AX4 series" provided by BUFFALO INC. contains a use of password hash with insufficient computational effort vulnerability.
Products Affected
- WSR-1800AX4 firmware versions prior to Ver.1.09
- WSR-1800AX4S firmware versions prior to Ver.1.11
- WSR-1800AX4B firmware versions prior to Ver.1.11
- WSR-1800AX4-KH firmware versions prior to Ver.1.19
Description
Wi-Fi router "WSR-1800AX4 series" provided by BUFFALO INC. contains the following vulnerability.
- Use of password hash with insufficient computational effort (CWE-916)
- CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Base Score 5.3
- CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score 4.3
- CVE-2025-46413
- This vulnerability affected when WPS is enabled
Impact
PIN code and/or Wi-Fi password may be obtained by an attacker.
Solution
Update the firmware
Apply the appropriate firmware update according to the information provided by the developer.
The developer has released the following firmware updates to address this vulnerability.
- WSR-1800AX4 firmware Ver.1.09
- WSR-1800AX4S firmware Ver.1.11
- WSR-1800AX4B firmware Ver.1.11
- WSR-1800AX4-KH firmware Ver.1.19
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| BUFFALO INC. | Vulnerable | 2025/11/07 | BUFFALO INC. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Kazuaki Chikamori and Takayuki Tatekawa of National Institute of Technology, Kochi College reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2025-46413 |
| JVN iPedia |
JVNDB-2025-000103 |