Scanner gratuitement
Analyse en attenteCVE-2026-42062

CVE-2026-42062: Command Injection in ELECOM WRC-BE72XSD-B

Plateforme

linux

Composant

elecom-wrc-be72xsd-b

Voir sur NVD
Sauvegarder

CVE-2026-42062 describes a critical command injection vulnerability discovered in the ELECOM WRC-BE72XSD-B Wireless LAN Access Point. This flaw allows an attacker to execute arbitrary operating system commands without authentication, potentially leading to complete system takeover. The vulnerability affects versions 1.1.0 through v1.1.1. A fix is pending from ELECOM.

Impact et Scénarios d'Attaquetraduction en cours…

The impact of this vulnerability is severe. Because no authentication is required, any attacker with network access to the access point can exploit it. Successful exploitation allows an attacker to execute arbitrary OS commands on the device, effectively gaining complete control. This could involve installing malware, stealing sensitive data (configuration files, user credentials stored on the device), modifying system settings, or using the access point as a pivot point to attack other systems on the network. The blast radius extends to any systems accessible from the compromised access point, making it a high-priority security concern.

Contexte d'Exploitationtraduction en cours…

The vulnerability was publicly disclosed on 2026-05-13. Exploitation probability is currently assessed as medium due to the ease of exploitation and lack of authentication. No known active campaigns targeting this vulnerability have been reported, but the lack of authentication makes it a prime target for opportunistic attackers. Monitor security advisories and threat intelligence feeds for updates.

Renseignement sur les Menaces

Statut de l'Exploit

Preuve de ConceptInconnu
CISA KEVNO
Exposition InternetÉlevée
Rapports2 rapports de menace

CISA SSVC

Exploitationnone
Automatisableyes
Impact Techniquetotal

Vecteur CVSS

RENSEIGNEMENT SUR LES MENACES· CVSS 3.1CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8CRITICALAttack VectorNetworkComment l'attaquant atteint la cibleAttack ComplexityLowConditions requises pour exploiterPrivileges RequiredNoneNiveau d'authentification requisUser InteractionNoneSi une action de la victime est requiseScopeUnchangedImpact au-delà du composant affectéConfidentialityHighRisque d'exposition de données sensiblesIntegrityHighRisque de modification non autorisée de donnéesAvailabilityHighRisque d'interruption de servicenextguardhq.com · Score de base CVSS v3.1
Que signifient ces métriques?
Attack Vector
Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
Attack Complexity
Faible — aucune condition spéciale requise. Exploitable de manière fiable.
Privileges Required
Aucun — sans authentification. Aucune identifiant requis pour exploiter.
User Interaction
Aucune — attaque automatique et silencieuse. La victime ne fait rien.
Scope
Inchangé — impact limité au composant vulnérable.
Confidentiality
Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
Integrity
Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
Availability
Élevé — panne complète ou épuisement des ressources. Déni de service total.

Logiciel Affecté

Composantelecom-wrc-be72xsd-b
FournisseurELECOM CO.,LTD.
Version minimale1.1.0
Version maximalev1.1.1 and earlier

Classification de Faiblesse (CWE)

CWE-78

Chronologie

  1. Réservé
  2. Publiée

Mitigation et Contournementstraduction en cours…

Given the lack of a currently available patch, immediate mitigation steps are crucial. Implement strict network segmentation to isolate the WRC-BE72XSD-B access point from critical systems. Consider using a Web Application Firewall (WAF) or proxy server to filter incoming requests and block those containing suspicious characters or commands in the username field. Monitor network traffic for unusual activity, particularly attempts to execute commands. Regularly review access point configurations and disable any unnecessary services. Once ELECOM releases a patch, apply it immediately. After upgrade, confirm by attempting a command injection attack via the username parameter; it should be rejected.

Comment corrigertraduction en cours…

Actualice el firmware del dispositivo WRC-BE72XSD-B a una versión corregida. Consulte el sitio web de ELECOM para obtener más información y las actualizaciones de firmware disponibles: https://www.elecom.co.jp/news/security/20260512-01/

Questions fréquentestraduction en cours…

What is CVE-2026-42062 — Command Injection in ELECOM WRC-BE72XSD-B?

CVE-2026-42062 is a critical command injection vulnerability affecting the ELECOM WRC-BE72XSD-B Wireless LAN Access Point. It allows attackers to execute arbitrary OS commands without authentication, potentially leading to complete system compromise.

Am I affected by CVE-2026-42062 in ELECOM WRC-BE72XSD-B?

You are affected if you are using the ELECOM WRC-BE72XSD-B Wireless LAN Access Point with firmware versions 1.1.0–v1.1.1 or earlier. Immediate action is required.

How do I fix CVE-2026-42062 in ELECOM WRC-BE72XSD-B?

Upgrade to a patched version of the firmware as soon as it becomes available from ELECOM. Until then, implement network segmentation and WAF rules to mitigate the risk.

Is CVE-2026-42062 being actively exploited?

While no active campaigns have been reported, the ease of exploitation and lack of authentication make it a likely target for opportunistic attackers. Continuous monitoring is recommended.

Where can I find the official ELECOM advisory for CVE-2026-42062?

Please refer to the ELECOM website and security advisories for the latest information and patch releases regarding CVE-2026-42062. Check their support pages for updates.

Ton projet est-il affecté ?

Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.

Scanner gratuitementRechercher des CVE
en directfree scan

Essayez maintenant — sans compte

scanZone.subtitle

Scan manuelSlack/email alertsContinuous monitoringWhite-label reports

Glissez-déposez votre fichier de dépendances

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...