CVE-2021-20862 : Improper access control vulnerability in ELECOM routers (WRC-1167GST2 firmware v

Improper access control vulnerability in ELECOM routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-1900GST firmware v1.03 and prior, WRC-2533GST firmware v1.03 and prior, WRC-2533GSTA firmware v1.03 and prior, WRC-2533GST2 firmware v1.25 and prior, WRC-2533GST2SP firmware v1.25 and prior, WRC-2533GST2-G firmware v1.25 and prior, and EDWRC-2533GST2 firmware v1.25 and prior) allows a network-adjacent unauthenticated attacker to bypass access restriction, and to obtain anti-CSRF tokens and change the product's settings via unspecified vectors.

Published 2021-12-01 03:15:07

Updated 2022-06-28 14:11:45

Source JPCERT/CC

View at NVD, CVE.org

Vulnerability category: Cross-site request forgery (CSRF)

Products affected by CVE-2021-20862

Elecom » Wrc-2533gst2 Firmware
Versions up to, including, (<=) 1.25
cpe:2.3:o:elecom:wrc-2533gst2_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Elecom » Wrc-2533gst2 » Version: N/A
Elecom » Wrc-1167gst2 Firmware
Versions up to, including, (<=) 1.25
cpe:2.3:o:elecom:wrc-1167gst2_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Elecom » Wrc-1167gst2 » Version: N/A
Elecom » Wrc-1167gst2a Firmware
Versions up to, including, (<=) 1.25
cpe:2.3:o:elecom:wrc-1167gst2a_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Elecom » Wrc-1167gst2a » Version: N/A
Elecom » Wrc-1167gst2h Firmware
Versions up to, including, (<=) 1.25
cpe:2.3:o:elecom:wrc-1167gst2h_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Elecom » Wrc-1167gst2h » Version: N/A
Elecom » Wrc-2533gs2-b Firmware
Versions up to, including, (<=) 1.52
cpe:2.3:o:elecom:wrc-2533gs2-b_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Elecom » Wrc-2533gs2-b » Version: N/A
Elecom » Wrc-2533gs2-w Firmware
Versions up to, including, (<=) 1.52
cpe:2.3:o:elecom:wrc-2533gs2-w_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Elecom » Wrc-2533gs2-w » Version: N/A
Elecom » Wrc-1750gs Firmware
Versions up to, including, (<=) 1.03
cpe:2.3:o:elecom:wrc-1750gs_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Elecom » Wrc-1750gs » Version: N/A
Elecom » Wrc-1750gsv Firmware
Versions up to, including, (<=) 2.11
cpe:2.3:o:elecom:wrc-1750gsv_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Elecom » Wrc-1750gsv » Version: N/A
Elecom » Wrc-1900gst Firmware
Versions up to, including, (<=) 1.03
cpe:2.3:o:elecom:wrc-1900gst_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Elecom » Wrc-1900gst » Version: N/A
Elecom » Wrc-2533gst Firmware
Versions up to, including, (<=) 1.03
cpe:2.3:o:elecom:wrc-2533gst_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Elecom » Wrc-2533gst » Version: N/A
Elecom » Wrc-2533gsta Firmware
Versions up to, including, (<=) 1.03
cpe:2.3:o:elecom:wrc-2533gsta_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Elecom » Wrc-2533gsta » Version: N/A
Elecom » Wrc-2533gst2sp Firmware
Versions up to, including, (<=) 1.25
cpe:2.3:o:elecom:wrc-2533gst2sp_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Elecom » Wrc-2533gst2sp » Version: N/A
Elecom » Wrc-2533gst2-g Firmware
Versions up to, including, (<=) 1.25
cpe:2.3:o:elecom:wrc-2533gst2-g_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Elecom » Wrc-2533gst2-g » Version: N/A
Elecom » Edwrc-2533gst2 Firmware
Versions up to, including, (<=) 1.25
cpe:2.3:o:elecom:edwrc-2533gst2_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Elecom » Edwrc-2533gst2 » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2021-20862

EPSS FAQ

0.10%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 25 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-20862

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
3.3	LOW	AV:A/AC:L/Au:N/C:N/I:P/A:N	6.5	2.9	NIST
Access Vector: Adjacent Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
4.3	MEDIUM	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	2.8	1.4	NIST
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None

References for CVE-2021-20862

https://jvn.jp/en/vu/JVNVU94527926/index.html

JVNVU#94527926: Multiple vulnerabilities in multiple ELECOM routers
Third Party Advisory

CVEs referencing this url
https://www.elecom.co.jp/news/security/20211130-01/

無線LANルーターのセキュリティ向上のためのファームウェアアップデートのお願い - 最新情報 - セキュリティ情報｜ELECOM
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2021-20862

Products affected by CVE-2021-20862

Exploit prediction scoring system (EPSS) score for CVE-2021-20862

CVSS scores for CVE-2021-20862

References for CVE-2021-20862