CVE-2026-35506: Command Injection in ELECOM WRC-BE72XSD-B
Plattform
linux
Komponente
elecom-wrc-be72xsd-b
CVE-2026-35506 describes a command injection vulnerability discovered in the ELECOM WRC-BE72XSD-B Wireless LAN Access Point. This flaw allows a logged-in user to execute arbitrary operating system commands on the device, potentially leading to complete system compromise. The vulnerability affects versions 1.1.0 through v1.1.1. A firmware update is required to resolve this issue.
Auswirkungen und Angriffsszenarien
The impact of this command injection vulnerability is significant. A successful attacker can gain complete control over the affected access point, enabling them to modify system configurations, steal sensitive data (including network credentials and user information), and potentially pivot to other devices on the network. The ability to execute arbitrary OS commands bypasses standard access controls, making it a highly dangerous vulnerability. Attackers could leverage this to establish a persistent presence on the network, conduct surveillance, or launch further attacks against internal resources. The blast radius extends beyond the access point itself, potentially impacting the entire network infrastructure.
Ausnutzungskontext
CVE-2026-35506 was published on May 13, 2026. The vulnerability's severity is rated HIGH (CVSS 7.2). Currently, there are no publicly available proof-of-concept exploits. The vulnerability is not listed on KEV or EPSS, suggesting a low to medium probability of exploitation in the near term. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
Bedrohungsanalyse
Exploit-Status
CISA SSVC
CVSS-Vektor
Was bedeuten diese Metriken?
- Attack Vector
- Netzwerk — aus der Ferne über das Internet ausnutzbar. Kein physischer oder lokaler Zugriff erforderlich.
- Attack Complexity
- Niedrig — keine besonderen Bedingungen erforderlich. Zuverlässig ausnutzbar.
- Privileges Required
- Hoch — Administrator- oder Privilegienkonto erforderlich.
- User Interaction
- Keine — automatischer und lautloser Angriff. Das Opfer tut nichts.
- Scope
- Unverändert — Auswirkung auf das anfällige Komponente beschränkt.
- Confidentiality
- Hoch — vollständiger Vertraulichkeitsverlust. Angreifer kann alle Daten lesen.
- Integrity
- Hoch — Angreifer kann beliebige Daten schreiben, ändern oder löschen.
- Availability
- Hoch — vollständiger Absturz oder Ressourcenerschöpfung. Totaler Denial of Service.
Betroffene Software
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Reserviert
- Veröffentlicht
Mitigation und Workarounds
The primary mitigation for CVE-2026-35506 is to upgrade the ELECOM WRC-BE72XSD-B access point to a firmware version that addresses the vulnerability. ELECOM has not yet released a patch, so monitoring their website for updates is crucial. As a temporary workaround, consider restricting access to the management interface to trusted networks only, and implementing strict authentication policies. While not a complete solution, these measures can reduce the attack surface. If an upgrade is not immediately possible, consider temporarily disabling features that rely on the vulnerable parameter, though this may impact functionality. After applying a firmware update, verify the fix by attempting to inject a command through the pingipaddr parameter and confirming that it is rejected.
So behebenwird übersetzt…
Actualice el firmware del dispositivo ELECOM WRC-BE72XSD-B a una versión corregida. Consulte el sitio web de ELECOM para obtener más información sobre las actualizaciones de firmware y las instrucciones de instalación.
Häufig gestellte Fragen
What is CVE-2026-35506 — Command Injection in ELECOM WRC-BE72XSD-B?
CVE-2026-35506 is a HIGH severity command injection vulnerability affecting ELECOM WRC-BE72XSD-B access points. A logged-in user can execute arbitrary OS commands via the pingipaddr parameter, potentially leading to full system compromise.
Am I affected by CVE-2026-35506 in ELECOM WRC-BE72XSD-B?
You are affected if you are using an ELECOM WRC-BE72XSD-B access point running version 1.1.0 through v1.1.1. Check your firmware version and monitor for updates from ELECOM.
How do I fix CVE-2026-35506 in ELECOM WRC-BE72XSD-B?
The recommended fix is to upgrade to a patched firmware version from ELECOM. Monitor their website for updates. Until a patch is available, restrict access to the management interface and implement strong authentication.
Is CVE-2026-35506 being actively exploited?
Currently, there are no publicly known active exploitation campaigns targeting CVE-2026-35506. However, the vulnerability's severity warrants ongoing monitoring and proactive mitigation.
Where can I find the official ELECOM advisory for CVE-2026-35506?
Please refer to the ELECOM website for official security advisories and firmware updates related to CVE-2026-35506. Check their support section for the WRC-BE72XSD-B model.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Jetzt testen — kein Konto
Laden Sie ein Manifest hoch (composer.lock, package-lock.json, WordPress Plugin-Liste…) oder fügen Sie Ihre Komponentenliste ein. Sie erhalten sofort einen Schwachstellenbericht. Das Hochladen einer Datei ist nur der Anfang: Mit einem Konto erhalten Sie kontinuierliche Überwachung, Slack/email-Benachrichtigungen, Multi-Projekt- und White-Label-Berichte.
Abhängigkeitsdatei hier ablegen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...