Skip to main content

ELECOM WRC Wireless LAN Access Points CVE-2026-25107

| EUVDEUVD-2026-29935 MEDIUM
Use of Hard-coded Cryptographic Key (CWE-321)
2026-05-13 jpcert GHSA-73h9-jvhg-453m
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
CVSS changed
May 13, 2026 - 15:52 NVD
6.5 (MEDIUM) 6.9 (MEDIUM)
Analysis Generated
May 13, 2026 - 13:15 vuln.today
CVE Published
May 13, 2026 - 12:01 nvd
MEDIUM 6.5

DescriptionCVE.org

ELECOM wireless LAN access point devices use a hard-coded cryptographic key when creating backups of configuration files. An attacker who knows the encryption key can tamper the configuration file of the product, and a victim administrator may be tricked to use a crafted configuration file.

AnalysisAI

ELECOM wireless LAN access point devices WRC-X1800GS-B, WRC-X3000GS2 series, WRC-X6000QS series, and related models use a hard-coded cryptographic key to encrypt configuration file backups. An attacker who obtains a backup file can decrypt and modify the configuration using the publicly known key, then trick a network administrator into restoring the malicious configuration, enabling complete compromise of network settings. This requires user interaction (administrator deploying a crafted backup) but no authentication, making it a practical attack vector for supply-chain compromise or insider threats. CVSS 6.5 (Medium) reflects the high integrity impact balanced against the requirement for administrator interaction.

Technical ContextAI

ELECOM wireless access points implement a backup-and-restore mechanism for configuration persistence. The underlying vulnerability stems from CWE-321 (Use of Hard-Coded Cryptographic Key), where the encryption key used to protect exported configuration files is static and known. When an administrator exports a configuration backup, the device encrypts it with this hard-coded key rather than a unique, device-derived key or administrator-supplied passphrase. This allows any attacker with access to a backup file (via network interception, vendor disclosure, or direct device access) to perform cryptographic decryption and modification. The affected products span multiple ELECOM wireless router lines (WRC-X series nomenclature indicates Wi-Fi 6 and dual-band designs), all sharing the same flawed backup encryption implementation.

RemediationAI

ELECOM has released firmware updates addressing this vulnerability by implementing a unique or dynamic encryption key for configuration backups instead of the hard-coded key. Administrators should visit the ELECOM support pages for their specific model (e.g., WRC-X3000GS2-B, WRC-X6000QS-G) and download and apply the latest available firmware version. The patch is applied by uploading the updated firmware image through the access point's web management interface (typically accessible at 192.168.0.1). Until patching is possible, administrators should implement compensating controls: store configuration backups in a physically and logically segregated secure location with access controls restricting who can retrieve them, validate configuration backups against a known-good baseline before restoration (compare SSID, security settings, and static routes), and disable the backup export feature in the web UI if remote management is not required. Note that these workarounds do not prevent an attacker from crafting a malicious backup; they only reduce the likelihood of accidental deployment. No temporary configuration change or disabling of a specific feature on unpatched devices will block this attack vector entirely.

Share

CVE-2026-25107 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy