Description
ELECOM wireless LAN access point devices contain an OS command injection in processing of username parameter. If processing a crafted request, an arbitrary OS command may be executed. No authentication is required.
Published: 2026-05-13
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ELECOM wireless LAN access point devices are vulnerable to an OS command injection flaw in the handling of the username parameter. An attacker can supply a specially crafted request that causes the system to execute arbitrary operating system commands. The impact is the potential execution of any command with the privileges of the affected service, leading to full compromise of the device and its network segment. The weakness is a classic command injection problem as identified by CWE-78.

Affected Systems

Affected vendors and products include ELECOM, Ltd. wireless action points run by models WRC-BE65QSD-B, WRC-BE72XSD-B, WRC-BE72XSD-BA, and WRC-W702-B. No specific firmware or software version information is provided, so all installations of these models may be susceptible.

Risk and Exploitability

The CVSS score of 9.3 reflects a high severity, and the absence of authentication requirements means any network user can target the flaw. EPSS data is not available, but the lack of a KEV listing does not diminish the risk. The likely attack vector is a remote HTTP request directed at the device’s username field, and the exploit requires no credentials, making mitigation urgent.

Generated by OpenCVE AI on May 13, 2026 at 14:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware or security patch released by ELECOM that resolves the command injection issue
  • Restrict access to the access point’s management interface using firewalls or VLAN isolation so that only trusted hosts can reach it
  • Change the default administrator credentials and enforce strong password policies

Generated by OpenCVE AI on May 13, 2026 at 14:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Elecom
Elecom wrc-be65qsd-b
Elecom wrc-be72xsd-b
Elecom wrc-be72xsd-ba
Elecom wrc-w702-b
Vendors & Products Elecom
Elecom wrc-be65qsd-b
Elecom wrc-be72xsd-b
Elecom wrc-be72xsd-ba
Elecom wrc-w702-b

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 14:30:00 +0000

Type Values Removed Values Added
Title Remote OS Command Injection in Elecom Wireless LAN Access Point Username Parameter

Wed, 13 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description ELECOM wireless LAN access point devices contain an OS command injection in processing of username parameter. If processing a crafted request, an arbitrary OS command may be executed. No authentication is required.
Weaknesses CWE-78
References
Metrics cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Elecom Wrc-be65qsd-b Wrc-be72xsd-b Wrc-be72xsd-ba Wrc-w702-b
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-05-13T15:07:12.520Z

Reserved: 2026-05-07T05:47:07.064Z

Link: CVE-2026-42062

cve-icon Vulnrichment

Updated: 2026-05-13T15:07:07.266Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T13:16:43.570

Modified: 2026-05-13T15:47:10.327

Link: CVE-2026-42062

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T19:42:02Z

Weaknesses