Published:2024/03/26 Last Updated:2024/03/26
JVNVU#95381465
Multiple vulnerabilities in ELECOM wireless routers
Overview
Multiple wireless routers provided by ELECOM CO.,LTD. contain multiple vulnerabilities.
Products Affected
- WRC-X3200GST3-B v1.25 and earlier
- WRC-G01-W v1.24 and earlier
Description
Multiple wireless routers provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below.
- OS Command Injection (CWE-78) - CVE-2024-25568
CVSS v3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 8.8 CVSS v2 AV:A/AC:L/Au:N/C:P/I:P/A:P Base Score: 5.8 - OS Command Injection (CWE-78) - CVE-2024-26258
CVSS v3 CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score: 6.8 CVSS v2 AV:A/AC:L/Au:S/C:P/I:P/A:P Base Score: 5.2 - Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) - CVE-2024-29225
CVSS v3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score: 6.5 CVSS v2 AV:A/AC:L/Au:N/C:P/I:N/A:N Base Score: 3.3
Impact
- An unauthenticated attacker may execute an arbitrary OS command by sending a specially crafted request - CVE-2024-25568
- A user with credentials may execute an arbitrary OS command by sending a specially crafted request - CVE-2024-26258
- An unauthenticated attacker may obtain the configuration file containing sensitive information by sending a specially crafted request - CVE-2024-29225
Solution
Update the firmware
Update the firmware to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| ELECOM CO.,LTD. | Vulnerable | 2024/03/26 | ELECOM CO.,LTD. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2024-25568 |
|
CVE-2024-26258 |
|
|
CVE-2024-29225 |
|
| JVN iPedia |
|