JVN#49524110
SHARP routers missing authentication for some web APIs

Overview

SHARP routers allow access to some web APIs without authentication.

Products Affected

For NTT DOCOMO, INC.

• home 5G HR01 versions 38JP_0_490 and earlier
• home 5G HR02 versions S5.A1.00 and earlier
• Wi-Fi STATION SH-52A versions 38JP_2_03J and earlier
• Wi-Fi STATION SH-52B versions S3.87.15 and earlier
• Wi-Fi STATION SH-54C versions S6.64.00 and earlier

• 5G Mobile Router SH-U01 versions S4.48.00 and earlier
• Pocket WiFi 5G A503SH versions S7.41.00 and earlier

• Speed Wi-Fi 5G X01 versions 3RJP_2_03I and earlier

Description

SHARP routers do not perform authentication for some web APIs.
Those web APIs provide device information, and the initial administrative password is based on a part of the device information.

• Missing authentication for critical function (CWE-306)
  • CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Base Score 6.9
  • CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Base Score 5.7
  • CVE-2026-32326

Impact

The device information may be retrieved without authentication.
If the administrative password of the device is left as the initial one, the device may be vulnerable to unauthorized access.

Solution

Update the firmware
Update the firmware to the latest version.

Note that the support service for Wi-Fi STATION SH-52A and Speed Wi-Fi 5G X01 have been discontinued, and no further updates will be provided.
The developer recommends the users to apply the workaround.

For more information, refer to the information provided by the developer.