Pending AnalysisCVE-2026-42062

CVE-2026-42062: Command Injection in ELECOM WRC-BE72XSD-B

Platform

linux

Component

elecom-wrc-be72xsd-b

CVE-2026-42062 describes a critical command injection vulnerability discovered in the ELECOM WRC-BE72XSD-B Wireless LAN Access Point. This flaw allows an attacker to execute arbitrary operating system commands without authentication, potentially leading to complete system takeover. The vulnerability affects versions 1.1.0 through v1.1.1. A fix is pending from ELECOM.

Impact and Attack Scenarios

The impact of this vulnerability is severe. Because no authentication is required, any attacker with network access to the access point can exploit it. Successful exploitation allows an attacker to execute arbitrary OS commands on the device, effectively gaining complete control. This could involve installing malware, stealing sensitive data (configuration files, user credentials stored on the device), modifying system settings, or using the access point as a pivot point to attack other systems on the network. The blast radius extends to any systems accessible from the compromised access point, making it a high-priority security concern.

Exploitation Context

The vulnerability was publicly disclosed on 2026-05-13. Exploitation probability is currently assessed as medium due to the ease of exploitation and lack of authentication. No known active campaigns targeting this vulnerability have been reported, but the lack of authentication makes it a prime target for opportunistic attackers. Monitor security advisories and threat intelligence feeds for updates.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports2 threat reports

CISA SSVC

Exploitationnone

Automatableyes

Technical Impacttotal

CVSS Vector

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentelecom-wrc-be72xsd-b

VendorELECOM CO.,LTD.

Minimum version1.1.0

Maximum versionv1.1.1 and earlier

Weakness Classification (CWE)

CWE-78

Timeline

Reserved2026-05-07
Published2026-05-13

Mitigation and Workarounds

Given the lack of a currently available patch, immediate mitigation steps are crucial. Implement strict network segmentation to isolate the WRC-BE72XSD-B access point from critical systems. Consider using a Web Application Firewall (WAF) or proxy server to filter incoming requests and block those containing suspicious characters or commands in the username field. Monitor network traffic for unusual activity, particularly attempts to execute commands. Regularly review access point configurations and disable any unnecessary services. Once ELECOM releases a patch, apply it immediately. After upgrade, confirm by attempting a command injection attack via the username parameter; it should be rejected.

How to fix

Actualice el firmware del dispositivo WRC-BE72XSD-B a una versión corregida. Consulte el sitio web de ELECOM para obtener más información y las actualizaciones de firmware disponibles: https://www.elecom.co.jp/news/security/20260512-01/

Frequently asked questions

What is CVE-2026-42062 — Command Injection in ELECOM WRC-BE72XSD-B?

CVE-2026-42062 is a critical command injection vulnerability affecting the ELECOM WRC-BE72XSD-B Wireless LAN Access Point. It allows attackers to execute arbitrary OS commands without authentication, potentially leading to complete system compromise.

Am I affected by CVE-2026-42062 in ELECOM WRC-BE72XSD-B?

You are affected if you are using the ELECOM WRC-BE72XSD-B Wireless LAN Access Point with firmware versions 1.1.0–v1.1.1 or earlier. Immediate action is required.

How do I fix CVE-2026-42062 in ELECOM WRC-BE72XSD-B?

Upgrade to a patched version of the firmware as soon as it becomes available from ELECOM. Until then, implement network segmentation and WAF rules to mitigate the risk.

Is CVE-2026-42062 being actively exploited?

While no active campaigns have been reported, the ease of exploitation and lack of authentication make it a likely target for opportunistic attackers. Continuous monitoring is recommended.

Where can I find the official ELECOM advisory for CVE-2026-42062?

Please refer to the ELECOM website and security advisories for the latest information and patch releases regarding CVE-2026-42062. Check their support pages for updates.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free Search CVEs

livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...

Browse files