OS Command Injection Vulnerability in ELECOM Wireless LAN Access Point Devices
CVE-2026-35506

8.6HIGH

Key Information:

Vendor: Elecom Co.,ltd.
Status: Wrc-be72xsd-b; Wrc-be72xsd-ba; Wrc-be65qsd-b; Wrc-w702-b
Vendor: CVE Published:; 13 May 2026

🔔 Create Elecom Co.,ltd. Vulnerability Alert

What is CVE-2026-35506?

ELECOM wireless LAN access point devices exhibit a vulnerability allowing for OS command injection through the improper handling of the 'ping_ip_addr' parameter. When a maliciously crafted request is sent by an authenticated user, this vulnerability can lead to the execution of arbitrary operating system commands, potentially compromising the device's integrity and breaching user security.

Affected Version(s)

WRC-BE65QSD-B v1.1.0 and earlier

WRC-BE72XSD-B v1.1.1 and earlier

WRC-BE72XSD-BA v1.1.1 and earlier

References

https://www.elecom.co.jp/news/security/20260512-01/

https://jvn.jp/en/jp/JVN03037325/

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

CVSS V3.0

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-35506 Data

JSON