ELECOM wireless LAN routers vulnerable to OS command injection


Multiple wireless LAN routers provided by ELECOM CO.,LTD. contain an OS command injection vulnerability.

Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.8 (Medium) [Other]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 5.2 (Medium) [Other]
  • Access Vector: Adjacent Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

  • WMC-X1800GST-B v1.41 and earlier
  • WRC-1167GS2-B v1.67 and earlier
  • WRC-1167GS2H-B v1.67 and earlier
  • WRC-2533GS2-B v1.62 and earlier
  • WRC-2533GS2-W v1.62 and earlier
  • WRC-2533GS2V-B v1.62 and earlier
  • WRC-G01-W v1.24 and earlier
  • WRC-X3200GST3-B v1.25 and earlier

WMC-X1800GST-B is also included in e-Mesh Starter Kit "WMC-2LX-B" provided by ELECOM CO.,LTD.

If a logged-in user with an administrative privilege sends a specially crafted request to the affected product, an arbitrary OS command may be executed.

[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
Vendor Information

CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [Other]
CVE (What is CVE?)

  1. CVE-2024-25579

  1. JVN : JVNVU#99444194
Revision History

  • [2024/02/22]
      Web page was published
  • [2024/03/27]
      Affected Products : Products were added 
  • [2024/05/29]
      Affected Products : Product was added