Skip to main content

ELECOM WRC access points EUVDEUVD-2026-29939

| CVE-2026-35506 HIGH
OS Command Injection (CWE-78)
2026-05-13 jpcert GHSA-p3g4-xxhh-7c6g
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
May 13, 2026 - 16:00 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 13, 2026 - 15:52 vuln.today
cvss_changed
CVSS changed
May 13, 2026 - 15:52 NVD
7.2 (HIGH) 8.6 (HIGH)
Analysis Generated
May 13, 2026 - 13:15 vuln.today
CVE Published
May 13, 2026 - 12:01 nvd
HIGH 7.2

DescriptionCVE.org

ELECOM wireless LAN access point devices contain an OS command injection vulnerability in processing of ping_ip_addr parameter. If processing a crafted request sent by a logged-in user, an arbitrary OS command may be executed.

AnalysisAI

OS command injection in ELECOM wireless LAN access point devices allows authenticated administrators to execute arbitrary system commands via a crafted ping_ip_addr parameter. Affects multiple ELECOM WRC-series models including WRC-BE72XSD-B (v1.1.1 and earlier), WRC-BE65QSD-B (v1.1.0 and earlier), and WRC-W702-B (v1.1.0 and earlier). Despite the high CVSS 8.6 score, exploitation requires high-privilege (administrator) credentials, significantly limiting real-world risk to scenarios involving compromised admin accounts or malicious insiders. No active exploitation (KEV) or public POC has been identified at time of analysis. Vendor advisory available from ELECOM with remediation guidance.

Technical ContextAI

This vulnerability stems from improper neutralization of special elements used in OS commands (CWE-78), specifically in the ping diagnostic functionality common to network device web interfaces. The ping_ip_addr parameter, likely part of a network troubleshooting feature in the access point's administrative interface, fails to sanitize user input before passing it to system shell commands. When the device executes ping operations, unsanitized input allows injection of command separators (such as semicolons, pipes, or ampersands) to chain arbitrary commands. The affected products are enterprise and consumer wireless access points from ELECOM Co., Ltd., identified by CPE strings for WRC-BE72XSD-B/BA (WiFi 7 models), WRC-BE65QSD-B (WiFi 6E model), and WRC-W702-B variants. These devices run embedded Linux-based firmware with web management interfaces, where diagnostic tools like ping are commonly implemented through shell command execution rather than native API calls, creating injection risks when input validation is insufficient.

RemediationAI

Apply firmware updates from ELECOM as detailed in the vendor security advisory at https://www.elecom.co.jp/news/security/20260512-01/. Specific patched firmware versions are not independently confirmed from available data-consult the vendor advisory for exact upgrade paths for each affected model (WRC-BE72XSD-B/BA, WRC-BE65QSD-B, WRC-W702-B). Until patches are applied, implement compensating controls: restrict administrative interface access to dedicated management VLANs with strict IP allowlisting (blocks remote exploitation vector), enforce multi-factor authentication for all admin accounts (raises PR:H barrier further), disable remote management features if not operationally required (eliminates AV:N attack surface), and monitor access point system logs for unexpected ping utility invocations or shell command patterns. Note that disabling diagnostic features may impact troubleshooting workflows-balance security risk against operational requirements. As a longer-term control, rotate all administrative credentials following patch application to invalidate any previously compromised accounts.

Share

EUVD-2026-29939 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy