CVE-2026-40621
Description
ELECOM wireless LAN access point devices do not require authentication to access some specific URLs. The affected product may be operated without authentication.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ELECOM wireless LAN access points lack authentication for specific URLs, allowing unauthenticated remote attackers to fully compromise the device.
Vulnerability
CVE-2026-40621 is a missing authentication issue (CWE-288) affecting multiple ELECOM wireless LAN access points [1]. The root cause is that the devices do not require authentication to access specific URLs, enabling unauthorized operations without any credentials [1]. This affects models such as WRC-BE72XSD-B, WRC-BE65QSD-B, and WRC-W702-B among others [1].
Exploitation requires network access to the vulnerable URL endpoints; no authentication or user interaction is needed [1]. An attacker can trigger the issue remotely over the network using low-complexity attacks [1]. The attack surface is broad as the affected products are often exposed on internal or guest networks.
The impact is severe: an unauthenticated attacker can achieve complete compromise of the device (confidentiality, integrity, and availability) [1]. The official CVSS v3 base score is 9.8 (Critical) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H .
ELECOM has not yet released a patch for all affected models. Users are advised to apply firmware updates as soon as they become available and to restrict network access to the device's management interface [1]. As of publication date (2026-05-13), no workaround is detailed.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.