Description
ELECOM wireless LAN access point devices contain an OS command injection vulnerability in processing of ping_ip_addr parameter. If processing a crafted request sent by a logged-in user, an arbitrary OS command may be executed.
Published: 2026-05-13
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ELECOM wireless LAN access points allow a logged-in user to craft a request containing a ping_ip_addr parameter that triggers an OS command injection, enabling arbitrary command execution on the device. The vulnerability is classified as CWE-78, where improper command handling can lead to remote code execution, compromising confidentiality, integrity, and availability of the device and any networks it serves.

Affected Systems

The affected models are ELECOM CO.,LTD. WRC-BE65QSD-B, WRC-BE72XSD-B, WRC-BE72XSD-BA, and WRC-W702-B. No specific firmware versions are identified in the advisory.

Risk and Exploitability

The advisory assigns a CVSS score of 8.6, indicating high severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Attack requires an authenticated session to the device’s management interface; a logged-in user can send a crafted request from the local network to exploit the flaw. Successful exploitation would allow remote execution of arbitrary OS commands.

Generated by OpenCVE AI on May 13, 2026 at 14:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any official firmware updates released by ELECOM that fix the command injection flaw.
  • Limit access to the device’s management interface to trusted IP addresses or VPN connections and apply strong authentication.
  • Disable or restrict the ping_ip_addr functionality if the device configuration allows it, or use network segmentation to isolate the access point from critical infrastructure.

Generated by OpenCVE AI on May 13, 2026 at 14:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Elecom
Elecom wrc-be65qsd-b
Elecom wrc-be72xsd-b
Elecom wrc-be72xsd-ba
Elecom wrc-w702-b
Vendors & Products Elecom
Elecom wrc-be65qsd-b
Elecom wrc-be72xsd-b
Elecom wrc-be72xsd-ba
Elecom wrc-w702-b

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 14:30:00 +0000

Type Values Removed Values Added
Title OS Command Injection via Ping IP Address Parameter in ELECOM Wireless LAN Access Points

Wed, 13 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description ELECOM wireless LAN access point devices contain an OS command injection vulnerability in processing of ping_ip_addr parameter. If processing a crafted request sent by a logged-in user, an arbitrary OS command may be executed.
Weaknesses CWE-78
References
Metrics cvssV3_0

{'score': 7.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Elecom Wrc-be65qsd-b Wrc-be72xsd-b Wrc-be72xsd-ba Wrc-w702-b
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-05-13T15:19:45.905Z

Reserved: 2026-05-07T05:47:11.955Z

Link: CVE-2026-35506

cve-icon Vulnrichment

Updated: 2026-05-13T15:19:08.993Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T13:16:40.880

Modified: 2026-05-13T15:47:10.327

Link: CVE-2026-35506

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T19:42:04Z

Weaknesses