JVNDB-2024-002831

ELECOM wireless LAN routers vulnerable to OS command injection

Multiple wireless LAN routers provided by ELECOM CO.,LTD. contain an OS command injection vulnerability.

Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.

ELECOM CO.,LTD.

• WMC-X1800GST-B v1.41 and earlier
• WRC-1167GS2-B v1.67 and earlier
• WRC-1167GS2H-B v1.67 and earlier
• WRC-2533GS2-B v1.62 and earlier
• WRC-2533GS2-W v1.62 and earlier
• WRC-2533GS2V-B v1.62 and earlier
• WRC-2533GST2 firmware v1.30 and earlier
• WRC-G01-W v1.24 and earlier
• WRC-X3200GST3-B v1.25 and earlier

WMC-X1800GST-B is also included in e-Mesh Starter Kit "WMC-2LX-B" provided by ELECOM CO.,LTD.

If a logged-in user with an administrative privilege sends a specially crafted request to the affected product, an arbitrary OS command may be executed.

[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.

ELECOM CO.,LTD.

• ELECOM CO.,LTD : ELECOM CO.,LTD. website (in Japanese)

1. OS Command Injection(CWE-78) [Other]

1. CVE-2024-25579

1. JVN : JVNVU#99444194

• [2024/02/22]
    Web page was published
• [2024/03/27]
    Affected Products : Products were added 
  
• [2024/05/29]
    Affected Products : Product was added
• [2024/08/28]
    Affected Products : Product was added