Description
Cross-site request forgery vulnerability exists in ELECOM wireless LAN products. If a user accesses a malicious page while logged-in to the affected product, unintended operations may be performed.
Published: 2026-02-03
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cross‑site request forgery flaw allows an attacker to cause a logged‑in user to send unintended requests to the router’s web interface, potentially changing configuration settings or performing other restricted actions. This attack undermines the integrity of the device’s configuration and can lead to service disruption or a stepping‑stone to further compromise.

Affected Systems

The flaw affects ELECOM CO.,LTD routers including WRC‑X1500GS‑B, WRC‑X1500GSA‑B, WRC‑X1800GS‑B, WRC‑X1800GSA‑B, WRC‑X1800GSH‑B, WRC‑X3000GS2‑B, WRC‑X3000GS2‑W, WRC‑X3000GS2A‑B, WRC‑X3000GST2‑B, WRC‑X6000QS‑G, WRC‑X6000QSA‑G, WRC‑X6000XS‑G, WRC‑X6000XST‑G, WRC‑XE5400GS‑G, and WRC‑XE5400GSA‑G. Specific firmware version details are not provided; users should verify whether their device is running an affected release.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of active exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. The attack requires an authenticated user to be logged into the router’s web interface and then visit a malicious webpage that triggers unauthorized requests. While no exploitation has been documented, the risk remains primarily from phishing or social‑engineering scenarios that coerce the user into visiting such a page.

Generated by OpenCVE AI on May 12, 2026 at 11:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware release that includes the CSRF fix from ELECOM.
  • If a patch is not yet available, restrict access to the router’s web management interface to trusted internal IP addresses or require VPN authentication for all administrative access.
  • Enable logging and monitor for abnormal configuration changes or unexpected POST requests, and configure alerts to detect potential CSRF attempts.

Generated by OpenCVE AI on May 12, 2026 at 11:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 11:30:00 +0000

Type Values Removed Values Added
Title Cross‑Site Request Forgery Enabling Unintended Operations on WRC‑X1500GS‑B and WRC‑X1500GSA‑B

Tue, 12 May 2026 08:30:00 +0000

Type Values Removed Values Added
Description Cross-site request forgery vulnerability exists in WRC-X1500GS-B and WRC-X1500GSA-B. If a user accesses a malicious page while logged-in to the affected product, unintended operations may be performed. Cross-site request forgery vulnerability exists in ELECOM wireless LAN products. If a user accesses a malicious page while logged-in to the affected product, unintended operations may be performed.

Sat, 18 Apr 2026 00:45:00 +0000

Type Values Removed Values Added
Title Cross‑Site Request Forgery Enabling Unintended Operations on WRC‑X1500GS‑B and WRC‑X1500GSA‑B

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Elecom
Elecom wrc-x1500gs-b
Elecom wrc-x1500gsa-b
Vendors & Products Elecom
Elecom wrc-x1500gs-b
Elecom wrc-x1500gsa-b

Tue, 03 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Description Cross-site request forgery vulnerability exists in WRC-X1500GS-B and WRC-X1500GSA-B. If a user accesses a malicious page while logged-in to the affected product, unintended operations may be performed.
Weaknesses CWE-352
References
Metrics cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Elecom Wrc-x1500gs-b Wrc-x1500gsa-b
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-05-12T08:09:07.849Z

Reserved: 2026-01-30T01:42:47.600Z

Link: CVE-2026-20704

cve-icon Vulnrichment

Updated: 2026-02-03T15:56:22.686Z

cve-icon NVD

Status : Deferred

Published: 2026-02-03T07:16:12.503

Modified: 2026-05-12T09:16:17.930

Link: CVE-2026-20704

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T11:15:14Z

Weaknesses