Description
Cross-site request forgery vulnerability exists in WRC-X1500GS-B and WRC-X1500GSA-B. If a user accesses a malicious page while logged-in to the affected product, unintended operations may be performed.
Published: 2026-02-03
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unintended operations performed via CSRF when a logged‑in user visits a malicious site
Action: Update Firmware
AI Analysis

Impact

A cross‑site request forgery flaw allows an attacker to trigger unapproved actions on the affected devices while a legitimate user is authenticated. The vulnerability can be leveraged to change device settings or perform other actions that compromise the integrity and reliability of the router, potentially enabling further attacks or service disruption.

Affected Systems

This issue affects ELECOM CO.,LTD. WRC‑X1500GS‑B and WRC‑X1500GSA‑B routers. Users operating these specific models are susceptible.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. The EPSS rating of less than 1% reflects a low likelihood of active exploitation at the time of assessment, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to require a user who is logged into the router’s web interface to visit a malicious webpage that sends an unauthorized request. Because active exploitation has not been reported, the risk remains primarily related to phishing or social‑engineering scenarios where an authenticated user is tricked into visiting the attacker‑controlled page.

Generated by OpenCVE AI on April 18, 2026 at 00:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware release that contains the CSRF fix from ELECOM.
  • If a patch is not yet available, restrict access to the router’s web management interface by limiting it to trusted IP addresses or by enabling VPN access only for administrators.
  • Enable logging and monitor for anomalous configuration changes or unauthorized requests to detect potential exploitation attempts.

Generated by OpenCVE AI on April 18, 2026 at 00:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 00:45:00 +0000

Type Values Removed Values Added
Title Cross‑Site Request Forgery Enabling Unintended Operations on WRC‑X1500GS‑B and WRC‑X1500GSA‑B

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Elecom
Elecom wrc-x1500gs-b
Elecom wrc-x1500gsa-b
Vendors & Products Elecom
Elecom wrc-x1500gs-b
Elecom wrc-x1500gsa-b

Tue, 03 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Description Cross-site request forgery vulnerability exists in WRC-X1500GS-B and WRC-X1500GSA-B. If a user accesses a malicious page while logged-in to the affected product, unintended operations may be performed.
Weaknesses CWE-352
References
Metrics cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Elecom Wrc-x1500gs-b Wrc-x1500gsa-b
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-02-03T15:56:26.479Z

Reserved: 2026-01-30T01:42:47.600Z

Link: CVE-2026-20704

cve-icon Vulnrichment

Updated: 2026-02-03T15:56:22.686Z

cve-icon NVD

Status : Deferred

Published: 2026-02-03T07:16:12.503

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-20704

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:30:25Z

Weaknesses