Pending AnalysisCVE-2026-40621

CVE-2026-40621: Authentication Bypass in ELECOM WRC-BE72XSD-B

Platform

linux

Component

elecom-wrc-be72xsd-b

CVE-2026-40621 describes a critical authentication bypass vulnerability affecting ELECOM WRC-BE72XSD-B Wireless LAN Access Points. This flaw allows attackers to access specific URLs without authentication, potentially leading to unauthorized access and control. The vulnerability impacts versions 1.1.0 through v1.1.1. A firmware update is required to remediate this issue.

Impact and Attack Scenarios

The lack of authentication on certain URLs within the ELECOM WRC-BE72XSD-B access point presents a significant security risk. An attacker could exploit this vulnerability to gain unauthorized access to sensitive configuration data, such as network settings, passwords, and potentially even user credentials stored on the device. This could allow them to modify the network configuration, redirect traffic, launch attacks against other devices on the network, or even gain complete control of the access point. The potential blast radius extends to all devices connected to the affected network, making this a high-priority vulnerability to address.

Exploitation Context

CVE-2026-40621 was published on May 13, 2026. Its severity is rated CRITICAL (9.8) by CVSS. As of this writing, there are no publicly known Proof-of-Concept (POC) exploits. The vulnerability is not currently listed on KEV or EPSS, suggesting a low to medium probability of exploitation in the near term, but the critical severity warrants immediate attention. Monitor security advisories from ELECOM and security research communities for updates.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports1 threat report

CISA SSVC

Exploitationnone

Automatableyes

Technical Impacttotal

CVSS Vector

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentelecom-wrc-be72xsd-b

VendorELECOM CO.,LTD.

Minimum version1.1.0

Maximum versionv1.1.1 and earlier

Weakness Classification (CWE)

CWE-288

Timeline

Reserved2026-05-07
Published2026-05-13

Mitigation and Workarounds

The primary mitigation for CVE-2026-40621 is to upgrade the ELECOM WRC-BE72XSD-B Wireless LAN Access Point to a patched firmware version. ELECOM has not yet released a fixed version, so monitoring their website for updates is crucial. Until a patch is available, consider implementing network segmentation to isolate the access point from critical resources. Additionally, restrict access to the access point's management interface using a firewall and strong passwords for any existing authentication mechanisms. Regularly review access logs for any suspicious activity.

How to fix

Actualice el firmware del dispositivo ELECOM WRC-BE72XSD-B a una versión corregida que implemente la autenticación adecuada para el acceso a URLs específicas. Consulte la página de soporte de ELECOM para obtener más información sobre las actualizaciones de firmware disponibles: https://www.elecom.co.jp/news/security/20260512-01/

Frequently asked questions

What is CVE-2026-40621 — Authentication Bypass in ELECOM WRC-BE72XSD-B?

CVE-2026-40621 is a critical vulnerability affecting ELECOM WRC-BE72XSD-B Wireless LAN Access Points. It allows attackers to access specific URLs without authentication, potentially gaining unauthorized access to sensitive data and control of the device.

Am I affected by CVE-2026-40621 in ELECOM WRC-BE72XSD-B?

You are affected if you are using ELECOM WRC-BE72XSD-B Wireless LAN Access Points running versions 1.1.0 through v1.1.1. Check your device's firmware version to determine if you are vulnerable.

How do I fix CVE-2026-40621 in ELECOM WRC-BE72XSD-B?

The recommended fix is to upgrade to a patched firmware version from ELECOM. Monitor ELECOM's website for updates. Until a patch is available, implement network segmentation and restrict access to the management interface.

Is CVE-2026-40621 being actively exploited?

As of the current date, there are no publicly known active exploitation campaigns targeting CVE-2026-40621. However, the critical severity warrants immediate attention and proactive mitigation.

Where can I find the official ELECOM advisory for CVE-2026-40621?

Please refer to the ELECOM website for the latest security advisories and firmware updates related to CVE-2026-40621. Check their support section or contact their customer support for assistance.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free Search CVEs

livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...

Browse files