Plaintext storage of a password issue exists in BUFFALO wireless LAN routers, which may allow a network-adjacent unauthenticated attacker with access to the product's login page may obtain configured credentials.
The vulnerability (CWE-256) consists in the fact that the router firmware stores access passwords in plaintext, without encryption or proper security. An attacker located in a network adjacent to the device and having access to the login page can read these credentials without needing to possess any privileges or interaction from the user.
An attacker can gain access to configured login credentials, which in practice means the possibility of taking full administrative control over the router and potential access to the local network.
Apply patches available from the manufacturer according to the references (https://www.buffalo.jp/news/detail/20240410-01.html). It is also recommended to restrict access to the device management interface only to trusted hosts and avoid exposing the administrative panel to external network interfaces.
Buffalo WSR-2533DHP, WSR-2533DHP-L and WSR-2533DHP2 routers (firmware indicated in the manufacturer's references).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HBuffalo Wsr 2533dhp
HWBuffalowszystkie wersjeBuffalo Wsr 2533dhp2
HWBuffalowszystkie wersjeBuffalo Wsr 2533dhp2 Firmware
OSBuffalo< 1.11Buffalo Wsr 2533dhp Firmware
OSBuffalo< 1.07Buffalo Wsr 2533dhpl
HWBuffalowszystkie wersjeBuffalo Wsr 2533dhpl Firmware
OSBuffalo< 1.07Buffalo Wsr A2533dhp2
HWBuffalowszystkie wersjeBuffalo Wsr A2533dhp2 Firmware
OSBuffalo< 1.11
Related vulnerabilities
OS command injection vulnerability in Buffalo network devices allows an network-adjacent attacker to execute a...
OS command injection vulnerability in BUFFALO wireless LAN routers allows a logged-in user to execute arbitrar...
OS command injection vulnerability in Buffalo network devices allows a network-adjacent attacker with an admin...
Hidden functionality vulnerability in Buffalo network devices allows a network-adjacent attacker with an admin...
A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR...