CVE-2026-40621

Deferred
Published: 13 May 2026, 12:01
Last modified:13 May 2026, 15:07

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.8 CRITICAL
v3.0 (cve.org)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

13 May 2026, 12:01
Published
Vulnerability first disclosed
13 May 2026, 15:07
Last Modified
Vulnerability information updated

Description

ELECOM wireless LAN access point devices do not require authentication to access some specific URLs. The affected product may be operated without authentication.

CVSS Metrics

  • v4.0CRITICALScore: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
  • v4.0CRITICALScore: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • v3.0CRITICALScore: 9.8CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Techniques & Countermeasures

  • CWE-288Authentication Bypass Using an Alternate Path or Channel

    The product requires authentication, but the product has an alternate path or channel that does not require authentication.

Affected Systems

  • elecom co.,ltd.wrc-be65qsd-b

    v1.1.0 and earlier

  • elecom co.,ltd.wrc-be72xsd-b

    v1.1.1 and earlier

  • elecom co.,ltd.wrc-be72xsd-ba

    v1.1.1 and earlier

  • elecom co.,ltd.wrc-w702-b

    v1.1.0 and earlier

References (2)