JVNVU#95381465
Multiple vulnerabilities in ELECOM wireless LAN routers

Overview

Multiple wireless LAN routers provided by ELECOM CO.,LTD. contain multiple vulnerabilities.

Products Affected

CVE-2024-25568

• WRC-X3200GST3-B v1.25 and earlier
• WRC-G01-W v1.24 and earlier
• WMC-X1800GST-B v1.41 and earlier

• WRC-X3200GST3-B v1.25 and earlier
• WRC-G01-W v1.24 and earlier
• WRC-2533GST2 v1.30 and earlier

• WRC-X3200GST3-B v1.25 and earlier
• WRC-G01-W v1.24 and earlier

Description

Multiple wireless LAN routers provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below.

• OS Command Injection (CWE-78) - CVE-2024-25568

  CVSS v3	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	Base Score: 8.8
  CVSS v2	AV:A/AC:L/Au:N/C:P/I:P/A:P	Base Score: 5.8

• OS Command Injection (CWE-78) - CVE-2024-26258

  CVSS v3	CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	Base Score: 6.8
  CVSS v2	AV:A/AC:L/Au:S/C:P/I:P/A:P	Base Score: 5.2

• Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) - CVE-2024-29225

  CVSS v3	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	Base Score: 6.5
  CVSS v2	AV:A/AC:L/Au:N/C:P/I:N/A:N	Base Score: 3.3

Impact

• An unauthenticated attacker may execute an arbitrary OS command by sending a specially crafted request - CVE-2024-25568
• A user with credentials may execute an arbitrary OS command by sending a specially crafted request - CVE-2024-26258
• An unauthenticated attacker may obtain the configuration file containing sensitive information by sending a specially crafted request - CVE-2024-29225

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.