JVN#39435597
Multiple vulnerabilities in ELECOM wireless LAN routers

Overview

Multiple wireless LAN routers provided by ELECOM CO.,LTD. contain multiple vulnerabilities.

Products Affected

CVE-2025-36519

• WRC-2533GST2 v1.31 and earlier
• WRC-1167GST2 v1.34 and earlier

• WRC-X3000GS v1.0.34 and earlier
• WRC-X3000GSA v1.0.34 and earlier
• WRC-X3000GSN v1.0.9 and earlier

• WRC-1167GHBK2-S all versions

• WRH-733GBK all versions
• WRH-733GWH all versions

Description

Multiple wireless LAN routers provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below.

• Unrestricted upload of file with dangerous type (CWE-434)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Base Score 5.3
  • CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Base Score 4.3
  • CVE-2025-36519
• OS command injection in Connection Diagnostics page (CWE-78)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.7
  • CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score 8.8
  • CVE-2025-41427
• Stored cross-site scripting in WebGUI (CWE-79)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 4.8
  • CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4
  • CVE-2025-43877
• OS command injection in the telnet function (CWE-78)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 9.3
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score 9.8
  • CVE-2025-43879
• OS command injection in miniigd SOAP service (CWE-78)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 9.3
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score 9.8
  • CVE-2025-48890

Impact

• If a specially crafted file is uploaded by a remote authenticated attacker, arbitrary code may be executed on the product (CVE-2025-36519)
• If a remote authenticated attacker sends a specially crafted request to the affected product, an arbitrary OS command may be executed (CVE-2025-41427)
• An arbitrary script may be executed on the web browser of the user who accessed WebGUI of the product (CVE-2025-43877)
• If a remote unauthenticated attacker sends a specially crafted request to the affected product, an arbitrary OS command may be executed（CVE-2025-43879, CVE-2025-48890）

Solution

CVE-2025-36519, CVE-2025-41427
Update the firmware
Update the firmware to the latest version according to the information provided by the developer.

CVE-2025-43877
Stop using the products
The developer states that the vulnerable products are no longer supported, therefore recommends that users should stop using the products.
Applying the following workaround may mitigate the impact of this vulnerability until adopting the alternative products.

• Change login password of WebGUI
• Do not access other websites while logged in to WebGUI
• Close the web browser after operating WebGUI
• Delete a WebGUI's login password stored in the web browser