Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
ELECOM wireless LAN access point devices use a hard-coded cryptographic key when creating backups of configuration files. An attacker who knows the encryption key can tamper the configuration file of the product, and a victim administrator may be tricked to use a crafted configuration file.
AnalysisAI
ELECOM wireless LAN access point devices WRC-X1800GS-B, WRC-X3000GS2 series, WRC-X6000QS series, and related models use a hard-coded cryptographic key to encrypt configuration file backups. An attacker who obtains a backup file can decrypt and modify the configuration using the publicly known key, then trick a network administrator into restoring the malicious configuration, enabling complete compromise of network settings. This requires user interaction (administrator deploying a crafted backup) but no authentication, making it a practical attack vector for supply-chain compromise or insider threats. CVSS 6.5 (Medium) reflects the high integrity impact balanced against the requirement for administrator interaction.
Technical ContextAI
ELECOM wireless access points implement a backup-and-restore mechanism for configuration persistence. The underlying vulnerability stems from CWE-321 (Use of Hard-Coded Cryptographic Key), where the encryption key used to protect exported configuration files is static and known. When an administrator exports a configuration backup, the device encrypts it with this hard-coded key rather than a unique, device-derived key or administrator-supplied passphrase. This allows any attacker with access to a backup file (via network interception, vendor disclosure, or direct device access) to perform cryptographic decryption and modification. The affected products span multiple ELECOM wireless router lines (WRC-X series nomenclature indicates Wi-Fi 6 and dual-band designs), all sharing the same flawed backup encryption implementation.
RemediationAI
ELECOM has released firmware updates addressing this vulnerability by implementing a unique or dynamic encryption key for configuration backups instead of the hard-coded key. Administrators should visit the ELECOM support pages for their specific model (e.g., WRC-X3000GS2-B, WRC-X6000QS-G) and download and apply the latest available firmware version. The patch is applied by uploading the updated firmware image through the access point's web management interface (typically accessible at 192.168.0.1). Until patching is possible, administrators should implement compensating controls: store configuration backups in a physically and logically segregated secure location with access controls restricting who can retrieve them, validate configuration backups against a known-good baseline before restoration (compare SSID, security settings, and static routes), and disable the backup export feature in the web UI if remote management is not required. Note that these workarounds do not prevent an attacker from crafting a malicious backup; they only reduce the likelihood of accidental deployment. No temporary configuration change or disabling of a specific feature on unpatched devices will block this attack vector entirely.
Same weakness CWE-321 – Use of Hard-coded Cryptographic Key
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29935
GHSA-73h9-jvhg-453m