Skip to main content

ELECOM wireless LAN CVE-2026-40621

| EUVDEUVD-2026-29940 CRITICAL
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-05-13 jpcert GHSA-9v2f-mjhv-cgq5
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
May 13, 2026 - 15:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 13, 2026 - 15:52 vuln.today
cvss_changed
CVSS changed
May 13, 2026 - 15:52 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)
Analysis Generated
May 13, 2026 - 13:15 vuln.today
CVE Published
May 13, 2026 - 12:01 nvd
CRITICAL 9.8

DescriptionCVE.org

ELECOM wireless LAN access point devices do not require authentication to access some specific URLs. The affected product may be operated without authentication.

AnalysisAI

Unauthenticated remote access to ELECOM wireless LAN access points (WRC-BE72XSD, WRC-BE65QSD, WRC-W702 models) allows attackers to perform administrative operations via specific URLs that bypass authentication (CWE-288). With CVSS 4.0 score 9.3 (AV:N/AC:L/PR:N), this represents a critical access control failure enabling complete device compromise over the network. EPSS data not available; no confirmed active exploitation (not in CISA KEV) or public POC identified at time of analysis, though the vendor advisory from ELECOM and JPCERT coordination suggests real-world discovery.

Technical ContextAI

This vulnerability affects ELECOM's enterprise and consumer Wi-Fi 6E/7E access point product line (WRC-BE72XSD-B/BA, WRC-BE65QSD-B, WRC-W702-B running firmware v1.1.0-1.1.1). The issue is a classic authentication bypass (CWE-288: Authentication Bypass by Alternate Path/Channel) where the web management interface fails to enforce authentication checks on certain administrative URLs. In modern network appliances, every HTTP endpoint should validate session tokens or credentials, but path-based authorization flaws like this allow direct URL manipulation to reach privileged functions. The CPE strings identify the vendor as 'elecom_co.,ltd.' with specific model/firmware combinations vulnerable. This represents a fundamental access control failure in the device's embedded HTTP server implementation.

RemediationAI

Apply firmware updates from ELECOM immediately per security advisory at https://www.elecom.co.jp/news/security/20260512-01/. Specific patched firmware versions are not listed in available NVD data; consult the vendor advisory for exact fix releases for each model (WRC-BE72XSD-B/BA, WRC-BE65QSD-B, WRC-W702-B). Until patching, implement network-level compensating controls: (1) Disable remote administration features entirely if not required-trade-off is loss of remote management capability but eliminates internet-facing attack surface; (2) Restrict management interface access via firewall rules to specific trusted IP addresses only-reduces risk from guest networks and compromised IoT devices but requires maintaining IP allowlists; (3) Segment access point management VLANs from user/guest networks-limits lateral movement but requires VLAN-capable infrastructure; (4) Deploy intrusion detection to monitor unauthorized access attempts to management URLs-provides detection but not prevention. These mitigations do NOT fix the underlying authentication bypass and should be considered temporary until firmware patching is completed.

Share

CVE-2026-40621 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy