Critical Flaws in ELECOM Routers: JPCERT/CC Issues Warning Over Command Injection and XSS Risks

In its latest vulnerability disclosure, JPCERT/CC has sounded the alarm on multiple critical security flaws affecting a range of wireless LAN routers manufactured by ELECOM CO., LTD. The vulnerabilities, which include unauthenticated remote code execution, command injection, and stored cross-site scripting (XSS), pose significant risks to both enterprise and consumer networks in Japan and beyond.

“Multiple wireless LAN routers provided by ELECOM CO.,LTD. contain multiple vulnerabilities,” JPCERT/CC states in the advisory.

The affected devices include popular models such as the WRC-2533GST2, WRC-X3000GS, WRC-1167GHBK2-S, and WRH-733GBK, among others. These routers suffer from a range of security issues tracked under the following CVE identifiers:

• CVE-2025-36519 – Unrestricted upload of dangerous file types

This vulnerability impacts ELECOM’s WRC-2533GST2 (v1.31 and earlier) and WRC-1167GST2 (v1.34 and earlier) models. It allows an authenticated attacker to upload files with dangerous types through the router’s web interface. A specially crafted file, if accepted by the system, may lead to arbitrary code execution. Although the CVSS score is a moderate 4.3, the risk escalates significantly if attackers already have login access.

• CVE-2025-41427 – OS command injection via Connection Diagnostics page

Routers including WRC-X3000GS, WRC-X3000GSA, and WRC-X3000GSN (firmware v1.0.34 and earlier or v1.0.9 and earlier) are vulnerable to an OS command injection attack via their Connection Diagnostics page. An authenticated attacker can exploit this by submitting a crafted request, leading to full system command execution. With a CVSS score of 8.8, this flaw poses a critical risk to router integrity and network security.

• CVE-2025-43877 – Stored XSS in WebGUI

The WRC-1167GHBK2-S router series (all versions) suffers from a stored XSS vulnerability within the WebGUI. By injecting malicious scripts into the router’s administrative interface, attackers can compromise the web browser of any user who accesses the WebGUI, leading to possible session hijacking or credential theft. The CVSS base score of 5.4 reflects the medium risk, although the impact can be amplified in shared or public network environments.

• CVE-2025-43879 – OS command injection via telnet

In perhaps the most severe finding, JPCERT warns that WRH-733GBK and WRH-733GWH routers are exposed to a remote unauthenticated command injection vulnerability via the Telnet interface. Rated 9.8 on the CVSS scale, this issue allows any attacker with network access to execute system-level commands without needing login credentials, presenting an urgent threat to routers still deployed in the wild.

• CVE-2025-48890 – OS command injection via miniigd SOAP service

Also affecting the WRH-733GBK and WRH-733GWH models, this vulnerability targets the miniigd SOAP service, allowing attackers to run OS-level commands remotely and without authentication. Like CVE-2025-43879, this flaw carries a CVSS score of 9.8 and enables attackers to control the device entirely, potentially altering its behavior or using it as a foothold to pivot deeper into the network.

For vulnerabilities CVE-2025-36519 and CVE-2025-41427, ELECOM has released firmware updates, and users are advised to patch immediately. However, for the remaining vulnerabilities—including CVE-2025-43877, CVE-2025-43879, and CVE-2025-48890—the affected products are no longer supported. JPCERT/CC recommends discontinuing the use of these routers altogether.

For users unable to transition immediately, temporary steps include:

• Changing the WebGUI login password
• Avoiding other websites while logged into the WebGUI
• Closing the browser after use
• Deleting stored credentials

Related Posts:

• JPCERT/CC Warns: MirrorFace LODEINFO & NOOPDOOR Malware Targeting Industry
• I-O DATA Routers Under Attack: Urgent Firmware Update Needed!
• KartLANPwn (CVE-2024-45200) Exploits Mario Kart 8 Deluxe LAN Play Feature for RCE
• Inaba Denki Sangyo Wi-Fi AP Units Affected by Critical Vulnerabilities