{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-41427", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2025-06-17T00:52:57.012Z", "datePublished": "2025-06-24T04:37:09.818Z", "dateUpdated": "2025-06-25T12:42:52.339Z"}, "containers": {"cna": {"affected": [{"vendor": "ELECOM CO.,LTD.", "product": "WRC-X3000GS", "versions": [{"version": "v1.0.34 and earlier", "status": "affected"}]}, {"vendor": "ELECOM CO.,LTD.", "product": "WRC-X3000GSA", "versions": [{"version": "v1.0.34 and earlier", "status": "affected"}]}, {"vendor": "ELECOM CO.,LTD.", "product": "WRC-X3000GSN", "versions": [{"version": "v1.0.9 and earlier", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "WRC-X3000GS, WRC-X3000GSA, and WRC-X3000GSN contain an improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Connection Diagnostics page. If a remote authenticated attacker sends a specially crafted request to the affected product, an arbitrary OS command may be executed."}], "problemTypes": [{"descriptions": [{"description": "Improper neutralization of special elements used in an OS command ('OS Command Injection')", "lang": "en-US", "cweId": "CWE-78", "type": "CWE"}]}], "references": [{"url": "https://www.elecom.co.jp/news/security/20250624-01/"}, {"url": "https://jvn.jp/en/jp/JVN39435597/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2025-06-24T04:37:09.818Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-24T15:23:49.118515Z", "id": "CVE-2025-41427", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-25T12:42:52.339Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-41427", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-06-24T15:23:49.118515Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-24T15:23:50.251Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "ELECOM CO.,LTD.", "product": "WRC-X3000GS", "versions": [{"status": "affected", "version": "v1.0.34 and earlier"}]}, {"vendor": "ELECOM CO.,LTD.", "product": "WRC-X3000GSA", "versions": [{"status": "affected", "version": "v1.0.34 and earlier"}]}, {"vendor": "ELECOM CO.,LTD.", "product": "WRC-X3000GSN", "versions": [{"status": "affected", "version": "v1.0.9 and earlier"}]}], "references": [{"url": "https://www.elecom.co.jp/news/security/20250624-01/"}, {"url": "https://jvn.jp/en/jp/JVN39435597/"}], "descriptions": [{"lang": "en", "value": "WRC-X3000GS, WRC-X3000GSA, and WRC-X3000GSN contain an improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Connection Diagnostics page. If a remote authenticated attacker sends a specially crafted request to the affected product, an arbitrary OS command may be executed."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-78", "description": "Improper neutralization of special elements used in an OS command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2025-06-24T04:37:09.818Z"}}}, "cveMetadata": {"cveId": "CVE-2025-41427", "state": "PUBLISHED", "dateUpdated": "2025-06-25T12:42:52.339Z", "dateReserved": "2025-06-17T00:52:57.012Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2025-06-24T04:37:09.818Z", "assignerShortName": "jpcert"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WRC-X3000GS, WRC-X3000GSA, and WRC-X3000GSN contain an improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Connection Diagnostics page. If a remote authenticated attacker sends a specially crafted request to the affected product, an arbitrary OS command may be executed."}, {"lang": "es", "value": "WRC-X3000GS, WRC-X3000GSA y WRC-X3000GSN presentan una vulnerabilidad de neutralizaci\u00f3n incorrecta de elementos especiales utilizados en un comando del sistema operativo ('Inyecci\u00f3n de comandos del sistema operativo') en la p\u00e1gina Connection Diagnostics. Si un atacante remoto autenticado env\u00eda una solicitud especialmente manipulada al producto afectado, podr\u00eda ejecutarse un comando arbitrario del sistema operativo."}], "id": "CVE-2025-41427", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2025-06-24T05:15:24.243", "references": [{"source": "vultures@jpcert.or.jp", "url": "https://jvn.jp/en/jp/JVN39435597/"}, {"source": "vultures@jpcert.or.jp", "url": "https://www.elecom.co.jp/news/security/20250624-01/"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}

{}

{"created": "2025-07-13T21:48:18.536872+00:00", "updated": "2025-07-13T21:48:18.536942+00:00", "vendors": ["elecom", "elecom$PRODUCT$wrc-x3000gs", "elecom$PRODUCT$wrc-x3000gsa", "elecom$PRODUCT$wrc-x3000gsn"]}