{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24449", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-01-30T01:42:46.700Z", "datePublished": "2026-02-03T06:57:20.505Z", "dateUpdated": "2026-02-03T15:54:07.198Z"}, "containers": {"cna": {"affected": [{"vendor": "ELECOM CO.,LTD.", "product": "WRC-X1500GS-B", "versions": [{"version": "all versions", "status": "affected"}]}, {"vendor": "ELECOM CO.,LTD.", "product": "WRC-X1500GSA-B", "versions": [{"version": "all versions", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "For WRC-X1500GS-B and WRC-X1500GSA-B, the initial passwords can be calculated easily from the system information."}], "problemTypes": [{"descriptions": [{"description": "Use of weak credentials", "lang": "en-US", "cweId": "CWE-1391", "type": "CWE"}]}], "references": [{"url": "https://www.elecom.co.jp/news/security/20260203-01/"}, {"url": "https://jvn.jp/en/jp/JVN94012927/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "MEDIUM", "baseScore": 4.6, "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-02-03T06:57:20.505Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T15:53:54.600516Z", "id": "CVE-2026-24449", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T15:54:07.198Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24449", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-03T15:53:54.600516Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T15:54:00.742Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 4.6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "ELECOM CO.,LTD.", "product": "WRC-X1500GS-B", "versions": [{"status": "affected", "version": "all versions"}]}, {"vendor": "ELECOM CO.,LTD.", "product": "WRC-X1500GSA-B", "versions": [{"status": "affected", "version": "all versions"}]}], "references": [{"url": "https://www.elecom.co.jp/news/security/20260203-01/"}, {"url": "https://jvn.jp/en/jp/JVN94012927/"}], "descriptions": [{"lang": "en", "value": "For WRC-X1500GS-B and WRC-X1500GSA-B, the initial passwords can be calculated easily from the system information."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-1391", "description": "Use of weak credentials"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-02-03T06:57:20.505Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24449", "state": "PUBLISHED", "dateUpdated": "2026-02-03T15:54:07.198Z", "dateReserved": "2026-01-30T01:42:46.700Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2026-02-03T06:57:20.505Z", "assignerShortName": "jpcert"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:elecom:wrc-x1500gsa-b_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "FB9250B0-9FE6-40B6-9FFB-33CAA055952F", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:elecom:wrc-x1500gsa-b:-:*:*:*:*:*:*:*", "matchCriteriaId": "4E8909C3-AE13-4F0F-8036-FBF586D554E3", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:elecom:wrc-x1500gs-b_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "2C7534A1-EF08-45B9-9A74-46F97CAFE979", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:elecom:wrc-x1500gs-b:-:*:*:*:*:*:*:*", "matchCriteriaId": "18945200-2A5D-4ED1-AEBF-8351FED54B5F", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "For WRC-X1500GS-B and WRC-X1500GSA-B, the initial passwords can be calculated easily from the system information."}, {"lang": "es", "value": "Para WRC-X1500GS-B y WRC-X1500GSA-B, las contrase\u00f1as iniciales se pueden calcular f\u00e1cilmente a partir de la informaci\u00f3n del sistema."}], "id": "CVE-2026-24449", "lastModified": "2026-04-10T14:51:44.633", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 0.9, "impactScore": 3.6, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "PHYSICAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-02-03T07:16:12.907", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN94012927/"}, {"source": "vultures@jpcert.or.jp", "tags": ["Vendor Advisory"], "url": "https://www.elecom.co.jp/news/security/20260203-01/"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1391"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T00:24:14.040393+00:00", "value": {"mitigation_remediation": ["Apply the latest firmware release that removes the ability to calculate default passwords.", "Change every default administrator password to a strong, unique credential immediately after installation.", "Restrict network access to the device\u2019s management interfaces, using firewall rules or VPN access, to limit exposure to trusted hosts."], "summary": {"action": "Update firmware", "impact": "Unauthorized access via easily derived default credentials"}, "threat_synthesis": {"affected_systems": "Elecom Co., Ltd. WRC\u2011X1500GS\u2011B and WRC\u2011X1500GSA\u2011B routers are affected. The issue is present in the device firmware variants listed as wrc\u2011x1500gs\u2011b_firmware and wrc\u2011x1500gsa\u2011b_firmware; no specific patch versions are provided in the data.", "description_and_impact": "The vulnerability allows an attacker to calculate the initial passwords from device system information, effectively bypassing authentication. This yields full control over the device and enables further exploitation of its functions. The weakness corresponds to CWE-1391, describing the use of predictable or weak credentials.", "risk_and_exploitability": "The CVSS score is 5.1, indicating moderate impact, while the EPSS score of less than 1% shows a very low probability of exploitation and the vulnerability is not listed in CISA\u2019s KEV catalogue. Attackers would likely need remote access to the device\u2019s management interface or to read exposed system information to compute the default credentials. Because the vulnerability is limited to initial password derivation, it does not grant elevated privileges beyond those of a legitimate administrator and thus the overall risk is moderate."}}}}, "created": "2026-02-04T12:14:13.541916+00:00", "title": "Derivable Default Passwords in ELECOM WRC Routers", "updated": "2026-04-18T00:30:25.712694+00:00", "vendors": ["elecom", "elecom$PRODUCT$wrc-x1500gs-b", "elecom$PRODUCT$wrc-x1500gsa-b"]}