No Password Required: 9.8 Severity ELECOM Router Flaws Allow Total Network Takeover
Do Son 
In a major security disclosure, JPCERT/CC has issued an urgent advisory regarding multiple high-severity vulnerabilities discovered in various wireless LAN routers and access points provided by ELECOM CO., LTD.. The report highlights a dangerous collection of flaws—including OS Command Injection and Authentication Bypass—that could allow attackers to seize complete control of network hardware without needing a password.
With CVSS scores reaching as high as 9.8, this isn’t just a minor patch; it’s a critical infrastructure warning for home and office users alike.
The most alarming vulnerabilities in this disclosure are those that bypass authentication entirely, giving remote attackers immediate “keys to the kingdom.”
- OS Command Injection (CVE-2026-42062): Carrying a 9.8 CVSS, this vulnerability resides in how the system processes the username parameter. An unauthenticated attacker can send a crafted request to execute arbitrary OS commands directly on the device.
- Missing Authentication (CVE-2026-40621): Another 9.8 CVSS flaw, this involves specific URLs that “fail open,” allowing the affected product to be operated without any authentication whatsoever.
The advisory also details several other methods attackers can use to degrade network security or manipulate users:
- Hard-coded Credentials (CVE-2026-25107): The use of a hard-coded cryptographic key for configuration backups means an attacker who knows the key can tamper with the product’s configuration file.
- Administrative Hijacking (CVE-2026-42948): A stored Cross-Site Scripting (XSS) vulnerability allows an administrator to input malicious data that triggers arbitrary script execution in the browser of another administrative user.
- Social Engineering Vectors (CVE-2026-42961): Inadequate CSRF protection could be used to trick a logged-in user into performing unintended operations just by viewing a malicious webpage.
The vulnerability list covers a wide range of ELECOM models. Key affected product families include:
- WRC-X Series: Including X3000GS2, X1800GS, X6000QS/XS, and XE5400GS models.
- WRC-BE Series: Including BE72XSD and BE65QSD models.
- WAB-BE Series: Professional access points like the BE187-M and BE72-M.
Note: In most cases, versions earlier than the current v1.1x release train are vulnerable .
Remediation: Secure Your Gateway Now
- Check Your Model: Identify your ELECOM router or access point model and its current firmware version.
- Update Immediately: Visit the developer’s support page and update the firmware to the latest version.
- Audit Settings: While updating, ensure that remote management interfaces are disabled if not strictly necessary, reducing the surface area for unauthenticated attacks.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
