JVN#03037325
Multiple vulnerabilities in ELECOM wireless LAN routers and access points (May 2026)

Overview

Multiple wireless LAN routers and access points provided by ELECOM CO.,LTD. contain multiple vulnerabilities.

Products Affected

CVE-2026-25107

• WRC-X3000GS2-B v1.09 and earlier
• WRC-X3000GS2-W v1.09 and earlier
• WRC-X3000GS2A-B v1.09 and earlier
• WRC-X3000GST2-B v1.06 and earlier
• WRC-X1800GS-B v1.19 and earlier
• WRC-X1800GSA-B v1.19 and earlier
• WRC-X1800GSH-B v1.19 and earlier
• WRC-X6000QS-G v1.14 and earlier
• WRC-X6000QSA-G v1.14 and earlier
• WRC-X6000XS-G v1.12 and earlier
• WRC-X6000XST-G v1.16 and earlier
• WRC-XE5400GS-G v1.13 and earlier
• WRC-XE5400GSA-G v1.13 and earlier

• WRC-BE72XSD-B v1.1.1 and earlier
• WRC-BE72XSD-BA v1.1.1 and earlier
• WRC-BE65QSD-B v1.1.0 and earlier
• WRC-W702-B v1.1.0 and earlier

• WAB-BE187-M v1.1.10 and earlier
• WAB-BE72-M v1.1.3 and earlier
• WAB-BE36-M v1.1.3 and earlier
• WAB-BE36-S v1.1.3 and earlier

Description

Multiple wireless LAN routers and access points provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below.

• Use of Hard-coded Cryptographic Key in creating backup of configuration files (CWE-321)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Base Score 6.9
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Base Score 6.5
  • CVE-2026-25107
• OS command injection in processing of ping_ip_addr parameter (CWE-78)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.6
    CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 7.2
  • CVE-2026-35506
• Missing authentication when accepting in specific URLs (CWE-288)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 9.3
    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score 9.8
  • CVE-2026-40621
• OS command injection in processing of username parameter (CWE-78)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 9.3
    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score 9.8
  • CVE-2026-42062
• Stored cross-site scripting due to inadequate hostname parameter handling (CWE-79)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 4.8
  • CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Base Score 4.8
  • CVE-2026-42948
• Missing Check for language parameter (CWE-754)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N Base Score 5.1
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L Base Score 4.3
  • CVE-2026-42950
• Inadequate CSRF protection (CWE-344)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Base Score 5.1
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score 4.3
  • CVE-2026-42961

Impact

• The configuration file of the product may be tampered by an attacker who knows the encryption key (CVE-2026-25107)
• If processing a crafted request sent by a logged-in user, an arbitrary OS command may be executed (CVE-2026-35506)
• The affected product may be operated without authentication (CVE-2026-40621)
• An arbitrary OS command may be executed without authentication (CVE-2026-42062)
• If one of the administrators input malicious data, an arbitrary script may be executed in another administrative user's web browser (CVE-2026-42948)
• If a user views a malicious page while logged in, the admin page on the user's web browser may become broken (CVE-2026-42950)
• If a user views a malicious page while logged in, the user may be tricked to do unintended operations (CVE-2026-42961)

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.