Skip to main content

ELECOM wireless LAN access points CVE-2026-42961

| EUVDEUVD-2026-29944 MEDIUM
Use of Invariant Value in Dynamically Changing Context (CWE-344)
2026-05-13 jpcert GHSA-9q5w-fvxj-wgpq
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
CVSS changed
May 13, 2026 - 15:52 NVD
4.3 (MEDIUM) 5.1 (MEDIUM)
Analysis Generated
May 13, 2026 - 13:17 vuln.today
CVE Published
May 13, 2026 - 12:02 nvd
MEDIUM 4.3

DescriptionCVE.org

ELECOM wireless LAN access point devices implement CSRF protection mechanism, but with inadequate handling of CSRF tokens. If a user views a malicious page while logged in, the user may be tricked to do unintended operations.

AnalysisAI

Cross-site request forgery (CSRF) in ELECOM wireless LAN access points (WAB-BE187-M, WAB-BE72-M, WAB-BE36-M, WAB-BE36-S) allows remote attackers to trick authenticated users into performing unintended administrative operations by viewing a malicious webpage. The vulnerability exists despite CSRF token implementation due to inadequate token validation, enabling integrity compromise of access point configuration without user knowledge.

Technical ContextAI

ELECOM wireless LAN access points implement CSRF token protection but fail to properly validate or enforce token specificity during state-changing operations. The vulnerability is classified as CWE-344 (Improper Verification of Data Authenticity), indicating the device accepts requests with missing, reused, or improperly scoped CSRF tokens. Affected devices are ELECOM WAB-BE series access points (WAB-BE187-M, WAB-BE72-M, WAB-BE36-M, WAB-BE36-S) that provide web-based administrative interfaces for network configuration. The flaw requires user interaction in the form of session hijacking via malicious website visits while the admin remains logged into the device's web interface.

RemediationAI

Apply vendor-released security updates from ELECOM at https://www.elecom.co.jp/news/security/20260512-01/ - specific patched firmware versions are not provided in this advisory; contact ELECOM support for firmware download links. Interim compensating controls include: restrict administrative web interface access to trusted IP addresses via firewall ACLs or access point IP filtering (limits attack vector for remote attackers), require administrators to avoid untrusted websites while logged into the device (reduces user interaction risk), implement a separate isolated administrative network segment for access point management, and disable remote management if not required. These controls reduce but do not eliminate the CSRF risk; patching is the primary remediation. Side effect: IP-based restrictions may complicate legitimate remote administration; administrative network segmentation adds operational complexity.

Share

CVE-2026-42961 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy