OS command injection vulnerability in multiple ELECOM LAN routers


Multiple ELECOM LAN routers provided by ELECOM CO.,LTD. contain an OS command injection vulnerability (CWE-78).

Katsuhiko Sato(a.k.a. goroh_kun) of 00One, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.8 (High) [IPA Score]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 5.8 (Medium) [IPA Score]
  • Access Vector: Adjacent Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

  • WRC-1167GST2 firmware firmware versions prior to v1.10
  • WRC-1750GST2 firmware firmware versions prior to v1.14
  • WRC-1900GST2 firmware firmware versions prior to v1.14
  • WRC-2533GST2 firmware firmware versions prior to v1.14


A remote attacker who can access the management screen of the affected device may execute an arbitrary OS command with root privilege.

[Apply the appropriate firmware update]
Apply the appropriate firmware update according to the information provided by the developer.
Vendor Information

CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2020-5634

  1. JVN : JVN#82892096
Revision History

  • [2020/10/05]
      Web page was published