CVE-2026-42062: Command Injection in ELECOM WRC-BE72XSD-B
Plattform
linux
Komponente
elecom-wrc-be72xsd-b
CVE-2026-42062 describes a critical command injection vulnerability discovered in the ELECOM WRC-BE72XSD-B Wireless LAN Access Point. This flaw allows an attacker to execute arbitrary operating system commands without authentication. The vulnerability affects versions 1.1.0 through v1.1.1 and requires immediate attention to prevent unauthorized access and control of the device. A fix is pending from ELECOM.
Auswirkungen und Angriffsszenarien
The impact of this vulnerability is severe. Due to the lack of authentication, any attacker can exploit this command injection by crafting a malicious request containing arbitrary commands. Successful exploitation grants the attacker complete control over the affected access point, enabling them to modify configurations, steal sensitive data (such as network credentials or user information stored on the device), install malware, and potentially pivot to other systems on the network. The absence of authentication significantly lowers the barrier to entry for attackers, making this a high-priority risk. This vulnerability shares similarities with other command injection flaws where attackers can bypass access controls and gain root-level privileges.
Ausnutzungskontext
CVE-2026-42062 was published on May 13, 2026. The vulnerability's criticality (CVSS 9.8) indicates a high probability of exploitation. No public proof-of-concept (POC) code has been released at the time of writing, but the ease of exploitation due to the lack of authentication suggests that it is likely to become a target for opportunistic attackers. The vulnerability is not currently listed on KEV or EPSS, but its severity warrants close monitoring. Refer to the ELECOM security advisory for further details and updates.
Bedrohungsanalyse
Exploit-Status
CISA SSVC
CVSS-Vektor
Was bedeuten diese Metriken?
- Attack Vector
- Netzwerk — aus der Ferne über das Internet ausnutzbar. Kein physischer oder lokaler Zugriff erforderlich.
- Attack Complexity
- Niedrig — keine besonderen Bedingungen erforderlich. Zuverlässig ausnutzbar.
- Privileges Required
- Keine — ohne Authentifizierung ausnutzbar. Keine Zugangsdaten erforderlich.
- User Interaction
- Keine — automatischer und lautloser Angriff. Das Opfer tut nichts.
- Scope
- Unverändert — Auswirkung auf das anfällige Komponente beschränkt.
- Confidentiality
- Hoch — vollständiger Vertraulichkeitsverlust. Angreifer kann alle Daten lesen.
- Integrity
- Hoch — Angreifer kann beliebige Daten schreiben, ändern oder löschen.
- Availability
- Hoch — vollständiger Absturz oder Ressourcenerschöpfung. Totaler Denial of Service.
Betroffene Software
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Reserviert
- Veröffentlicht
Mitigation und Workarounds
Currently, no official patch is available from ELECOM. Until a patch is released, the primary mitigation strategy is to isolate the affected access points from external networks. Implement strict firewall rules to block all inbound traffic except for essential management ports. Consider using a Web Application Firewall (WAF) to filter potentially malicious requests targeting the username parameter. Regularly monitor access point logs for suspicious activity, specifically looking for unusual command executions. If possible, temporarily disable remote management features to reduce the attack surface. After a patch is released, upgrade the access point firmware immediately and verify the fix by attempting to inject a simple command (e.g., whoami) via the username parameter; the command should not be executed.
So behebenwird übersetzt…
Actualice el firmware del dispositivo WRC-BE72XSD-B a una versión corregida. Consulte el sitio web de ELECOM para obtener más información y las actualizaciones de firmware disponibles: https://www.elecom.co.jp/news/security/20260512-01/
Häufig gestellte Fragen
What is CVE-2026-42062 — Command Injection in ELECOM WRC-BE72XSD-B?
CVE-2026-42062 is a critical command injection vulnerability in the ELECOM WRC-BE72XSD-B Wireless LAN Access Point. It allows attackers to execute arbitrary OS commands without authentication, potentially leading to full system compromise.
Am I affected by CVE-2026-42062 in ELECOM WRC-BE72XSD-B?
You are affected if you are using an ELECOM WRC-BE72XSD-B access point running version 1.1.0–v1.1.1 or earlier. Check your device's firmware version to determine if you are vulnerable.
How do I fix CVE-2026-42062 in ELECOM WRC-BE72XSD-B?
Currently, no patch is available. Mitigate by isolating the device, implementing firewall rules, and monitoring logs. Upgrade to a patched version as soon as ELECOM releases one.
Is CVE-2026-42062 being actively exploited?
While no public POC exists, the ease of exploitation suggests it is likely to become a target. Monitor your network and access point logs for suspicious activity.
Where can I find the official ELECOM advisory for CVE-2026-42062?
Refer to the ELECOM website for security advisories and updates regarding CVE-2026-42062. Check their support pages and security bulletin section for the latest information.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Jetzt testen — kein Konto
Laden Sie ein Manifest hoch (composer.lock, package-lock.json, WordPress Plugin-Liste…) oder fügen Sie Ihre Komponentenliste ein. Sie erhalten sofort einen Schwachstellenbericht. Das Hochladen einer Datei ist nur der Anfang: Mit einem Konto erhalten Sie kontinuierliche Überwachung, Slack/email-Benachrichtigungen, Multi-Projekt- und White-Label-Berichte.
Abhängigkeitsdatei hier ablegen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...