Impact
ELECOM wireless LAN access points allow a logged-in user to craft a request containing a ping_ip_addr parameter that triggers an OS command injection, enabling arbitrary command execution on the device. The vulnerability is classified as CWE-78, where improper command handling can lead to remote code execution, compromising confidentiality, integrity, and availability of the device and any networks it serves.
Affected Systems
The affected models are ELECOM CO.,LTD. WRC-BE65QSD-B, WRC-BE72XSD-B, WRC-BE72XSD-BA, and WRC-W702-B. No specific firmware versions are identified in the advisory.
Risk and Exploitability
The advisory assigns a CVSS score of 8.6, indicating high severity. The EPSS score is 1%, and the vulnerability is not listed in CISA’s KEV catalog. Attack requires an authenticated session to the device’s management interface; a logged‑in user can send a crafted request to exploit the flaw. Based on the description, the likely attack vector involves a user who has logged in to the web interface, though the exact network location of the attacker is not specified. Successful exploitation would allow remote execution of arbitrary OS commands.
OpenCVE Enrichment