Skip to main content

ELECOM wireless LAN access points CVE-2026-42062

| EUVDEUVD-2026-29941 CRITICAL
OS Command Injection (CWE-78)
2026-05-13 jpcert GHSA-mh6j-mmrp-wqc9
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
May 13, 2026 - 15:57 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 13, 2026 - 15:52 vuln.today
cvss_changed
CVSS changed
May 13, 2026 - 15:52 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)
Analysis Generated
May 13, 2026 - 13:16 vuln.today
CVE Published
May 13, 2026 - 12:01 nvd
CRITICAL 9.8

DescriptionCVE.org

ELECOM wireless LAN access point devices contain an OS command injection in processing of username parameter. If processing a crafted request, an arbitrary OS command may be executed. No authentication is required.

AnalysisAI

OS command injection in ELECOM wireless LAN access points (WRC-BE72XSD, WRC-BE65QSD, WRC-W702 series) allows unauthenticated remote attackers to execute arbitrary system commands via crafted username parameter without authentication. The vulnerability affects multiple enterprise and consumer access point models running firmware v1.1.0-1.1.1, with public disclosure by JPCERT/CC and vendor advisory available from ELECOM. CVSS 4.0 score of 9.3 reflects critical severity with network attack vector, low complexity, and no privilege requirements, enabling complete system compromise of affected wireless infrastructure devices.

Technical ContextAI

The vulnerability exists in the web management interface of ELECOM wireless access points, specifically in input validation routines processing the username parameter during authentication or user management operations. CWE-78 (OS Command Injection) indicates the application fails to properly sanitize user-supplied input before passing it to system shell commands, likely through unsafe functions like system(), exec(), or popen() in the device's embedded Linux firmware. The affected CPE entries identify four distinct product lines (WRC-BE72XSD-B, WRC-BE72XSD-BA, WRC-BE65QSD-B, WRC-W702-B) manufactured by ELECOM Co., Ltd., all sharing vulnerable firmware versions in the 1.1.x branch. These are WiFi 6E/7-capable enterprise access points running embedded web servers that expose administrative interfaces, making them attractive targets for network infrastructure compromise and lateral movement in enterprise environments.

RemediationAI

Apply firmware updates from ELECOM immediately by visiting the vendor security advisory at https://www.elecom.co.jp/news/security/20260512-01/ for patched firmware versions and installation instructions specific to each affected model (exact patched version numbers not specified in available data but should be obtained from vendor advisory). Until patching is completed, implement network-level compensating controls: isolate affected access points on dedicated management VLANs with strict firewall rules permitting administrative access only from jump hosts on trusted subnets; disable remote management interfaces entirely if not operationally required and restrict administration to local console access only; deploy intrusion prevention system (IPS) signatures to detect command injection attempts in HTTP requests to device management interfaces (note: evasion techniques may bypass signature detection). For internet-facing or guest network deployments, immediately remove devices from untrusted network segments as no effective workaround exists for unauthenticated remote vulnerabilities. Consider replacing with alternative vendor hardware if patching timeline exceeds acceptable risk window, as compromised network infrastructure devices provide persistent attacker footholds resistant to endpoint-focused detection.

Share

CVE-2026-42062 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy