CVE-2026-20704

Vulnerability

CVE-2026-20704 describes a cross-site request forgery (CSRF) vulnerability, classified under CWE-352, in many ELECOM wireless LAN router models. The flaw exists in the web management interface, where it fails to validate or include anti-CSRF tokens. As a result, an attacker can craft a malicious web page that, when visited by an authenticated administrator, submits unauthorized requests to the router [1].

Exploitation

No authentication or network access is required for the attacker; the victim must be logged into the router's management interface while visiting the attacker's page. The attack vector is network-based (AV:N), requires user interaction (UI:R), and has low attack complexity (AC:L) [1]. The CVSS v3.0 base score is 4.3 (Medium).

Impact

Successful exploitation allows the attacker to perform actions on the router's management interface with the privileges of the logged-in user. The impact is limited to integrity (VI:L) with no effect on confidentiality or availability (VC:N, VA:N) according to the CVSS v3.0 vector [1]. Typical actions could include changing configuration settings (e.g., DNS, Wi-Fi parameters) but not full device compromise.

Mitigation

ELECOM has released updated firmware versions for each affected model to remediate this vulnerability. Users should apply the latest firmware as listed in the advisory [1]. The following models are vulnerable if running firmware versions equal to or earlier than those specified: WRC-X1500GS-B v1.12, WRC-X1500GSA-B v1.12, WRC-X3000GS2-B v1.09, WRC-X3000GS2-W v1.09, WRC-X3000GS2A-B v1.09, WRC-X3000GST2-B v1.06, WRC-X1800GS-B v1.19, WRC-X1800GSA-B v1.19, WRC-X1800GSH-B v1.19, WRC-X6000QS-G v1.14, WRC-X6000QSA-G v1.14, WRC-X6000XS-G v1.12, WRC-X6000XST-G v1.16, WRC-XE5400GS-G v1.13, and WRC-XE5400GSA-G v1.13. Users should update to the latest available versions to protect against this CSRF vulnerability [1].