Scan free
Pending AnalysisCVE-2026-42961

CVE-2026-42961: CSRF in ELECOM WAB-BE187-M Access Point

Platform

linux

Component

elecom-wab-be187-m

View on NVD
Save

CVE-2026-42961 describes a Cross-Site Request Forgery (CSRF) vulnerability present in the ELECOM WAB-BE187-M Wireless LAN Access Point. This flaw allows an attacker to potentially execute unauthorized actions on behalf of an authenticated user if they are tricked into visiting a malicious webpage. The vulnerability affects devices running versions 1.1.3 through 1.1.10, and a fix is expected from ELECOM.

Impact and Attack Scenarios

The primary impact of this CSRF vulnerability lies in the potential for unauthorized configuration changes or administrative actions. An attacker could craft a malicious webpage that, when visited by an authenticated administrator, could modify network settings, add or remove users, or even reset the device to factory defaults. This could lead to network disruption, data breaches, or complete compromise of the access point. The attack surface is broad, as any user with valid credentials is potentially at risk. Successful exploitation requires social engineering to lure a user into visiting the malicious page, but the consequences can be severe.

Exploitation Context

As of the publication date (2026-05-13), there is no public proof-of-concept (POC) code available for CVE-2026-42961. The vulnerability's severity is rated MEDIUM (CVSS 4.3). It is not currently listed on KEV or EPSS, suggesting a low to medium probability of active exploitation. Monitor security advisories from ELECOM and security research communities for updates.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N4.3MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentelecom-wab-be187-m
VendorELECOM CO.,LTD.
Minimum version1.1.3
Maximum versionv1.1.10 and earlier

Weakness Classification (CWE)

CWE-344

Timeline

  1. Reserved
  2. Published

Mitigation and Workarounds

The immediate mitigation for CVE-2026-42961 is to upgrade the ELECOM WAB-BE187-M Wireless LAN Access Point to a patched firmware version as soon as it becomes available from ELECOM. Until a patch is released, consider implementing stricter access controls and user awareness training to minimize the risk of social engineering attacks. Web Application Firewalls (WAFs) configured with CSRF protection rules can also provide a layer of defense, although effectiveness depends on the WAF's configuration and the specific attack vectors. Monitor access point logs for suspicious activity, particularly unexpected configuration changes.

How to fix

Actualice el firmware del dispositivo ELECOM WAB-BE187-M a una versión corregida. Consulte el sitio web de ELECOM para obtener más información sobre las actualizaciones de firmware y las instrucciones de instalación.

Frequently asked questions

What is CVE-2026-42961 — CSRF in ELECOM WAB-BE187-M?

CVE-2026-42961 is a Cross-Site Request Forgery (CSRF) vulnerability affecting ELECOM WAB-BE187-M Wireless LAN Access Points, allowing attackers to perform actions as authenticated users.

Am I affected by CVE-2026-42961 in ELECOM WAB-BE187-M?

You are affected if you are using an ELECOM WAB-BE187-M Wireless LAN Access Point running versions 1.1.3 through 1.1.10.

How do I fix CVE-2026-42961 in ELECOM WAB-BE187-M?

Upgrade to a patched firmware version from ELECOM as soon as it becomes available. Until then, implement stricter access controls and user awareness training.

Is CVE-2026-42961 being actively exploited?

As of the publication date, there is no evidence of active exploitation, but it's crucial to apply the patch or mitigation measures promptly.

Where can I find the official ELECOM advisory for CVE-2026-42961?

Check the ELECOM support website and security advisories page for updates regarding CVE-2026-42961 and firmware updates.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...