The vulnerability is an OS command injection in Elecom wireless LAN products. A crafted request originating from an authenticated user can inject arbitrary operating‑system commands, giving the attacker full control over the device’s system. This can lead to a complete compromise of confidentiality, integrity, and availability, consistent with the CWE‑78 classification.

The affected devices are the Elecom WRC‑X1500GS‑B, WRC‑X1500GSA‑B, WRC‑X1800GS‑B, WRC‑X1800GSA‑B, WRC‑X1800GSH‑B, WRC‑X3000GS2‑B, WRC‑X3000GS2‑W, WRC‑X3000GS2A‑B, WRC‑X3000GST2‑B, WRC‑X6000QS‑G, WRC‑X6000QSA‑G, WRC‑X6000XS‑G, WRC‑X6000XST‑G, WRC‑XE5400GS‑G, and WRC‑XE5400GSA‑G. The flaw resides in their firmware and may affect any version running the default or previously supplied firmware. The router models listed by Elecom have been documented as vulnerable.

The CVSS base score is 8.6, indicating a high severity flaw, yet the EPSS probability is below 1 %, suggesting rare exploitation in the wild. The flaw requires the attacker to have authenticated access to the router’s administrative interface, so the attack vector is likely internal or from an attacker who has compromised a legitimate user’s credentials. The router is not listed in the CISA KEV catalog, but the ability to execute arbitrary OS commands makes it a critical asset if exposed.