Published:2021/04/27  Last Updated:2021/04/30

Multiple Buffalo network devices contain hidden functionality


Multiple network devices provided by BUFFALO INC. contain hidden functionality.

Products Affected

  • BHR-4RV firmware Ver.2.55 and prior
  • FS-G54 firmware Ver.2.04 and prior
  • WBR2-B11 firmware Ver.2.32 and prior
  • WBR2-G54 firmware Ver.2.32 and prior
  • WBR2-G54-KD firmware Ver.2.32 and prior
  • WBR-B11 firmware Ver.2.23 and prior
  • WBR-G54 firmware Ver.2.23 and prior
  • WBR-G54L firmware Ver.2.20 and prior
  • WHR2-A54G54 firmware Ver.2.25 and prior
  • WHR2-G54 firmware Ver.2.23 and prior
  • WHR2-G54V firmware Ver.2.55 and prior
  • WHR3-AG54 firmware Ver.2.23 and prior
  • WHR-G54 firmware Ver.2.16 and prior
  • WHR-G54-NF firmware Ver.2.10 and prior
  • WLA2-G54 firmware Ver.2.24 and prior
  • WLA2-G54C firmware Ver.2.24 and prior
  • WLA-B11 firmware Ver.2.20 and prior
  • WLA-G54 firmware Ver.2.20 and prior
  • WLA-G54C firmware Ver.2.20 and prior
  • WLAH-A54G54 firmware Ver.2.54 and prior
  • WLAH-AM54G54 firmware Ver.2.54 and prior
  • WLAH-G54 firmware Ver.2.54 and prior
  • WLI2-TX1-AG54 firmware Ver.2.53 and prior
  • WLI2-TX1-AMG54 firmware Ver.2.53 and prior
  • WLI2-TX1-G54 firmware Ver.2.20 and prior
  • WLI3-TX1-AMG54 firmware Ver.2.53 and prior
  • WLI3-TX1-G54 firmware Ver.2.53 and prior
  • WLI-T1-B11 firmware Ver.2.20 and prior
  • WLI-TX1-G54 firmware Ver.2.20 and prior
  • WVR-G54-NF firmware Ver.2.02 and prior
  • WZR-G108 firmware Ver.2.41 and prior
  • WZR-G54 firmware Ver.2.41 and prior
  • WZR-HP-G54 firmware Ver.2.41 and prior
  • WZR-RS-G54 firmware Ver.2.55 and prior
  • WZR-RS-G54HP firmware Ver.2.55 and prior


Multiple network devices provided by BUFFALO INC. contain hidden functionality (CWE-912) that allows an attacker to enable the debug option.


A network-adjacent attacker may execute arbitrary code or OS commands, change the configuration, and cause a denial of service (DoS) condition.



Do not use the products
According to the developer, the devices are no longer supported and it is recommended for the users to use alternative devices.
For more details, refer to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
BUFFALO INC. Vulnerable 2021/04/27 BUFFALO INC. website


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Base Score: 8.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)


Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2021-20716
JVN iPedia

Update History

Updated [Impact]