[Japanese]

JVNDB-2026-000073

Multiple vulnerabilities in ELECOM wireless LAN routers and access points (May 2026)

Overview

Multiple wireless LAN routers and access points provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below.


  • Use of Hard-coded Cryptographic Key in creating backup of configuration files (CWE-321) - CVE-2026-25107
  • OS command injection in processing of ping_ip_addr parameter (CWE-78) - CVE-2026-35506
  • Missing authentication when accepting in specific URLs (CWE-288) - CVE-2026-40621
  • OS command injection in processing of username parameter (CWE-78) - CVE-2026-42062
  • Stored cross-site scripting due to inadequate hostname parameter handling (CWE-79) - CVE-2026-42948
  • Missing Check for language parameter (CWE-754) - CVE-2026-42950
  • Inadequate CSRF protection (CWE-344) - CVE-2026-42961
The vulnerabilities are reported from the following people, and JPCERT/CC coordinated with the developer.

CVE-2026-25107, CVE-2026-42950, CVE-2026-42961
Kentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported these vulnerabilities to IPA.

CVE-2026-42948
Sato Nobuhiro of Suzuki Motor Corporation, Futamata Keisuke of University Of Fukui, Takahashi Natsuki of Shizuoka University, Sasaki Miyu of Waseda University, and Tsuyoshi Tomita of Ministry of Defense reported this vulnerability to IPA.

CVE-2026-35506, CVE-2026-40621, CVE-2026-42062
Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 9.8 (Critical) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS v4 Severity
Base Metrics: 9.3 (Critical) [IPA Score]
  • Access Vector (AV): Network
  • Attack Complexity (AC): Low
  • Attack Requirements (AT): None
  • Privileges Required (PR): None
  • User Interaction (UI): None
    • Vulnerable System Impact
  • Confidentiality Impact (VC): High
  • Integrity Impact (VI): High
  • Availability Impact (VA): High
    • Subsequent System Impact
  • Confidentiality Impact (SC): None
  • Integrity Impact (SI): None
  • Availability Impact (SA): None
The above CVSS base scores have been assigned for CVE-2026-40621

CVSS v3 Severity
Base Metrics: 9.8(Critical) [IPA Score]
  • Access Vector : Network
  • Attack Complexity : Low
  • Privileges Required : None
  • User Interaction : None
  • Scope : Unchanged
  • Confidentiality Impact : High
  • Integrity Impact : High
  • Availability Impact : High
CVSS v4 Severity
Base Metrics: 9.3 (Critical) [IPA Score]
  • Access Vector (AV): Network
  • Attack Complexity (AC): Low
  • Attack Requirements (AT): None
  • Privileges Required (PR): None
  • User Interaction (UI): None
    • Vulnerable System Impact
  • Confidentiality Impact (VC): High
  • Integrity Impact (VI): High
  • Availability Impact (VA): High
    • Subsequent System Impact
  • Confidentiality Impact (SC): None
  • Integrity Impact (SI): None
  • Availability Impact (SA): None
The above CVSS base scores have been assigned for CVE-2026-42062

CVSS v3 Severity
Base Metrics: 7.2(High) [IPA Score]
  • Access Vector : Network
  • Attack Complexity : Low
  • Privileges Required : High
  • User Interaction : None
  • Scope : Unchanged
  • Confidentiality Impact : High
  • Integrity Impact : High
  • Availability Impact : High
CVSS v4 Severity
Base Metrics: 8.6 (High) [IPA Score]
  • Access Vector (AV): Network
  • Attack Complexity (AC): Low
  • Attack Requirements (AT): None
  • Privileges Required (PR): High
  • User Interaction (UI): None
    • Vulnerable System Impact
  • Confidentiality Impact (VC): High
  • Integrity Impact (VI): High
  • Availability Impact (VA): High
    • Subsequent System Impact
  • Confidentiality Impact (SC): None
  • Integrity Impact (SI): None
  • Availability Impact (SA): None
The above CVSS base scores have been assigned for CVE-2026-35506

CVSS v3 Severity
Base Metrics: 6.5(Medium) [IPA Score]
  • Access Vector : Network
  • Attack Complexity : Low
  • Privileges Required : None
  • User Interaction : Required
  • Scope : Unchanged
  • Confidentiality Impact : None
  • Integrity Impact : High
  • Availability Impact : None
CVSS v4 Severity
Base Metrics: 6.9 (Medium) [IPA Score]
  • Access Vector (AV): Network
  • Attack Complexity (AC): Low
  • Attack Requirements (AT): None
  • Privileges Required (PR): None
  • User Interaction (UI): Active
    • Vulnerable System Impact
  • Confidentiality Impact (VC): None
  • Integrity Impact (VI): High
  • Availability Impact (VA): None
    • Subsequent System Impact
  • Confidentiality Impact (SC): None
  • Integrity Impact (SI): None
  • Availability Impact (SA): None
The above CVSS base scores have been assigned for CVE-2026-25107

CVSS v3 Severity
Base Metrics: 4.8(Medium) [IPA Score]
  • Access Vector : Network
  • Attack Complexity : Low
  • Privileges Required : High
  • User Interaction : Required
  • Scope : Changed
  • Confidentiality Impact : Low
  • Integrity Impact : Low
  • Availability Impact : None
CVSS v4 Severity
Base Metrics: 4.8 (Medium) [IPA Score]
  • Access Vector (AV): Network
  • Attack Complexity (AC): Low
  • Attack Requirements (AT): None
  • Privileges Required (PR): High
  • User Interaction (UI): Passive
    • Vulnerable System Impact
  • Confidentiality Impact (VC): None
  • Integrity Impact (VI): None
  • Availability Impact (VA): None
    • Subsequent System Impact
  • Confidentiality Impact (SC): Low
  • Integrity Impact (SI): Low
  • Availability Impact (SA): None
The above CVSS base scores have been assigned for CVE-2026-42948

CVSS v3 Severity
Base Metrics: 4.3(Medium) [IPA Score]
  • Access Vector : Network
  • Attack Complexity : Low
  • Privileges Required : None
  • User Interaction : Required
  • Scope : Unchanged
  • Confidentiality Impact : None
  • Integrity Impact : None
  • Availability Impact : Low
CVSS v4 Severity
Base Metrics: 5.1 (Medium) [IPA Score]
  • Access Vector (AV): Network
  • Attack Complexity (AC): Low
  • Attack Requirements (AT): None
  • Privileges Required (PR): None
  • User Interaction (UI): Active
    • Vulnerable System Impact
  • Confidentiality Impact (VC): None
  • Integrity Impact (VI): None
  • Availability Impact (VA): Low
    • Subsequent System Impact
  • Confidentiality Impact (SC): None
  • Integrity Impact (SI): None
  • Availability Impact (SA): None
The above CVSS base scores have been assigned for CVE-2026-42950

CVSS v3 Severity
Base Metrics: 4.3(Medium) [IPA Score]
  • Access Vector : Network
  • Attack Complexity : Low
  • Privileges Required : None
  • User Interaction : Required
  • Scope : Unchanged
  • Confidentiality Impact : None
  • Integrity Impact : Low
  • Availability Impact : None
CVSS v4 Severity
Base Metrics: 5.1 (Medium) [IPA Score]
  • Access Vector (AV): Network
  • Attack Complexity (AC): Low
  • Attack Requirements (AT): None
  • Privileges Required (PR): None
  • User Interaction (UI): Active
    • Vulnerable System Impact
  • Confidentiality Impact (VC): None
  • Integrity Impact (VI): Low
  • Availability Impact (VA): None
    • Subsequent System Impact
  • Confidentiality Impact (SC): None
  • Integrity Impact (SI): None
  • Availability Impact (SA): None
The above CVSS base scores have been assigned for CVE-2026-42961
Affected Products


ELECOM CO.,LTD.
  • WAB-BE187-M v1.1.10 and earlier (CVE-2026-42948, CVE-2026-42950, CVE-2026-42961)
  • WAB-BE36-M v1.1.3 and earlier (CVE-2026-42948, CVE-2026-42950, CVE-2026-42961)
  • WAB-BE36-S v1.1.3 and earlier (CVE-2026-42948, CVE-2026-42950, CVE-2026-42961)
  • WAB-BE72-M v1.1.3 and earlier (CVE-2026-42948, CVE-2026-42950, CVE-2026-42961)
  • WRC-BE65QSD-B v1.1.0 and earlier (CVE-2026-35506, CVE-2026-40621, CVE-2026-42062)
  • WRC-BE72XSD-B v1.1.1 and earlier (CVE-2026-35506, CVE-2026-40621, CVE-2026-42062)
  • WRC-BE72XSD-BA v1.1.1 and earlier (CVE-2026-35506, CVE-2026-40621, CVE-2026-42062)
  • WRC-W702-B v1.1.0 and earlier (CVE-2026-35506, CVE-2026-40621, CVE-2026-42062)
  • WRC-X1800GS-B v1.19 and earlier (CVE-2026-25107)
  • WRC-X1800GSA-B v1.19 and earlier (CVE-2026-25107)
  • WRC-X1800GSH-B v1.19 and earlier (CVE-2026-25107)
  • WRC-X3000GS2-B v1.09 and earlier (CVE-2026-25107)
  • WRC-X3000GS2-W v1.09 and earlier (CVE-2026-25107)
  • WRC-X3000GS2A-B v1.09 and earlier (CVE-2026-25107)
  • WRC-X3000GST2-B v1.06 and earlier (CVE-2026-25107)
  • WRC-X6000QS-G v1.14 and earlier (CVE-2026-25107)
  • WRC-X6000QSA-G v1.14 and earlier (CVE-2026-25107)
  • WRC-X6000XS-G v1.12 and earlier (CVE-2026-25107)
  • WRC-X6000XST-G v1.16 and earlier (CVE-2026-25107)
  • WRC-XE5400GS-G v1.13 and earlier (CVE-2026-25107)
  • WRC-XE5400GSA-G v1.13 and earlier (CVE-2026-25107)

Impact

  • The configuration file of the product may be tampered by an attacker who knows the encryption key (CVE-2026-25107)
  • If processing a crafted request sent by a logged-in user, an arbitrary OS command may be executed (CVE-2026-35506)
  • The affected product may be operated without authentication (CVE-2026-40621)
  • An arbitrary OS command may be executed without authentication (CVE-2026-42062)
  • If one of the administrators input malicious data, an arbitrary script may be executed in another administrative user's web browser (CVE-2026-42948)
  • If a user views a malicious page while logged in, the admin page on the user's web browser may become broken (CVE-2026-42950)
  • If a user views a malicious page while logged in, the user may be tricked to do unintended operations (CVE-2026-42961)
Solution

[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
Vendor Information

ELECOM CO.,LTD.
CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [IPA Evaluation]
  2. Cross-site Scripting(CWE-79) [IPA Evaluation]
  3. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2026-25107
  2. CVE-2026-35506
  3. CVE-2026-40621
  4. CVE-2026-42062
  5. CVE-2026-42948
  6. CVE-2026-42950
  7. CVE-2026-42961
References

  1. JVN : JVN#03037325
Revision History

  • [2026/05/12]
      Web page was published
  • [2026/05/20]
      Overview was modified

Date Public2026/05/12
Date First Published2026/05/12
Date Last Updated2026/05/20