ELECOM wireless LAN routers vulnerable to OS command injection


Multiple ELECOM wireless LAN routers provided by ELECOM CO.,LTD. contain an OS command injection vulnerability.

Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.8 (Medium) [Other]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 5.2 (Medium) [Other]
  • Access Vector: Adjacent Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

  • WRC-X1800GS-B v1.17 and earlier
  • WRC-X1800GSA-B v1.17 and earlier
  • WRC-X1800GSH-B v1.17 and earlier
  • WRC-X6000XS-G v1.09
  • WRC-X6000XST-G v1.12 and earlier


If a logged-in user with an administrative privilege sends a specially crafted request to the product, an arbitrary OS command may be executed.

[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
Vendor Information

CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [Other]
CVE (What is CVE?)

  1. CVE-2024-22372

  1. JVN : JVNVU#90908488
  2. National Vulnerability Database (NVD) : CVE-2024-22372
Revision History

  • [2024/01/24]
      Web page was published
  • [2024/03/06]
      References : Content was added