Pending AnalysisCVE-2026-35506

CVE-2026-35506: Command Injection in ELECOM WRC-BE72XSD-B

Platform

linux

Component

elecom-wrc-be72xsd-b

CVE-2026-35506 describes a Command Injection vulnerability discovered in the ELECOM WRC-BE72XSD-B Wireless LAN Access Point. This flaw allows a logged-in user to execute arbitrary operating system commands, potentially leading to complete system compromise. The vulnerability affects versions 1.1.0 through v1.1.1. A fix is expected from ELECOM, but currently unavailable.

Impact and Attack Scenarios

The impact of this vulnerability is significant. Successful exploitation allows an attacker, posing as a legitimate, logged-in user, to execute arbitrary commands on the access point. This could involve modifying system configurations, stealing sensitive data stored on the device (such as network credentials or configuration files), installing malware, or even pivoting to other systems on the network. The blast radius extends to any systems accessible from the compromised access point, making it a critical security concern. The ability to execute OS commands bypasses standard access controls, making it a particularly dangerous vulnerability.

Exploitation Context

CVE-2026-35506 was published on May 13, 2026. Its severity is rated HIGH (CVSS 7.2). Currently, there are no publicly available Proof-of-Concept (POC) exploits, but the nature of Command Injection vulnerabilities makes it likely that one will emerge. The vulnerability is not currently listed on KEV or EPSS, suggesting a low to medium probability of active exploitation at this time. Monitor security advisories and threat intelligence feeds for updates.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

CISA SSVC

Exploitationnone

Automatableno

Technical Impacttotal

CVSS Vector

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: High — admin or privileged account required to exploit.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentelecom-wrc-be72xsd-b

VendorELECOM CO.,LTD.

Minimum version1.1.0

Maximum versionv1.1.1 and earlier

Weakness Classification (CWE)

CWE-78

Timeline

Reserved2026-05-07
Published2026-05-13

Mitigation and Workarounds

Due to the lack of a patch, immediate mitigation strategies are crucial. First, isolate affected access points from the internet to prevent external exploitation. Implement strict access controls and multi-factor authentication for all user accounts to limit the potential for unauthorized logins. Consider using a Web Application Firewall (WAF) or proxy server to filter incoming requests and block those containing suspicious parameters like pingipaddr. Monitor system logs for unusual activity or command execution attempts. Once a patch is released by ELECOM, prioritize upgrading all affected devices immediately. After upgrade, confirm by attempting a crafted request and verifying that the OS command execution is blocked.

How to fix

Actualice el firmware del dispositivo ELECOM WRC-BE72XSD-B a una versión corregida. Consulte el sitio web de ELECOM para obtener más información sobre las actualizaciones de firmware y las instrucciones de instalación.

Frequently asked questions

What is CVE-2026-35506 — Command Injection in ELECOM WRC-BE72XSD-B?

CVE-2026-35506 is a Command Injection vulnerability affecting the ELECOM WRC-BE72XSD-B Wireless LAN Access Point. A logged-in user can execute arbitrary OS commands via a crafted request, potentially leading to system compromise.

Am I affected by CVE-2026-35506 in ELECOM WRC-BE72XSD-B?

You are affected if you are using the ELECOM WRC-BE72XSD-B Wireless LAN Access Point with firmware versions 1.1.0–v1.1.1 or earlier. Upgrade as soon as a patch is available.

How do I fix CVE-2026-35506 in ELECOM WRC-BE72XSD-B?

Currently, there is no official patch available. Mitigate by isolating the device, implementing strict access controls, and using a WAF. Upgrade to a patched version when released by ELECOM.

Is CVE-2026-35506 being actively exploited?

While no public exploits are currently known, the vulnerability's nature makes it likely that exploitation will occur. Monitor security advisories and threat intelligence feeds.

Where can I find the official ELECOM advisory for CVE-2026-35506?

Refer to the ELECOM support website for updates and advisories regarding CVE-2026-35506. Check their security notice section for the latest information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free Search CVEs

livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...

Browse files