Description
For WRC-X1500GS-B and WRC-X1500GSA-B, the initial passwords can be calculated easily from the system information.
Published: 2026-02-03
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access via easily derived default credentials
Action: Update firmware
AI Analysis

Impact

The vulnerability allows an attacker to calculate the initial passwords from device system information, effectively bypassing authentication. This yields full control over the device and enables further exploitation of its functions. The weakness corresponds to CWE-1391, describing the use of predictable or weak credentials.

Affected Systems

Elecom Co., Ltd. WRC‑X1500GS‑B and WRC‑X1500GSA‑B routers are affected. The issue is present in the device firmware variants listed as wrc‑x1500gs‑b_firmware and wrc‑x1500gsa‑b_firmware; no specific patch versions are provided in the data.

Risk and Exploitability

The CVSS score is 5.1, indicating moderate impact, while the EPSS score of less than 1% shows a very low probability of exploitation and the vulnerability is not listed in CISA’s KEV catalogue. Attackers would likely need remote access to the device’s management interface or to read exposed system information to compute the default credentials. Because the vulnerability is limited to initial password derivation, it does not grant elevated privileges beyond those of a legitimate administrator and thus the overall risk is moderate.

Generated by OpenCVE AI on April 18, 2026 at 00:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware release that removes the ability to calculate default passwords.
  • Change every default administrator password to a strong, unique credential immediately after installation.
  • Restrict network access to the device’s management interfaces, using firewall rules or VPN access, to limit exposure to trusted hosts.

Generated by OpenCVE AI on April 18, 2026 at 00:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 00:45:00 +0000

Type Values Removed Values Added
Title Derivable Default Passwords in ELECOM WRC Routers

Fri, 10 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Elecom wrc-x1500gs-b Firmware
Elecom wrc-x1500gsa-b Firmware
CPEs cpe:2.3:h:elecom:wrc-x1500gs-b:-:*:*:*:*:*:*:*
cpe:2.3:h:elecom:wrc-x1500gsa-b:-:*:*:*:*:*:*:*
cpe:2.3:o:elecom:wrc-x1500gs-b_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:elecom:wrc-x1500gsa-b_firmware:*:*:*:*:*:*:*:*
Vendors & Products Elecom wrc-x1500gs-b Firmware
Elecom wrc-x1500gsa-b Firmware

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Elecom
Elecom wrc-x1500gs-b
Elecom wrc-x1500gsa-b
Vendors & Products Elecom
Elecom wrc-x1500gs-b
Elecom wrc-x1500gsa-b

Tue, 03 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Description For WRC-X1500GS-B and WRC-X1500GSA-B, the initial passwords can be calculated easily from the system information.
Weaknesses CWE-1391
References
Metrics cvssV3_0

{'score': 4.6, 'vector': 'CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Elecom Wrc-x1500gs-b Wrc-x1500gs-b Firmware Wrc-x1500gsa-b Wrc-x1500gsa-b Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-02-03T15:54:07.198Z

Reserved: 2026-01-30T01:42:46.700Z

Link: CVE-2026-24449

cve-icon Vulnrichment

Updated: 2026-02-03T15:54:00.742Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T07:16:12.907

Modified: 2026-04-10T14:51:44.633

Link: CVE-2026-24449

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:30:25Z

Weaknesses