CVE-2024-34577 Elecom CVE debrief

Who should care

Administrators and users of the affected Elecom WRC-X3000GS2-B, WRC-X3000GS2-W, WRC-X3000GS2A-B, and WRC-X3000GST2-B devices should care, especially if the web admin interface is used from browsers that also visit untrusted sites.

Technical summary

The issue is classified as CWE-79 (cross-site scripting). NVD lists the CVSS v3.1 vector as AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, which indicates remote reachability but requires user interaction: a logged-in user must load a malicious page for the injected script to run. NVD records vulnerable firmware versions for the affected Elecom models up to 1.08.

Defensive priority

Medium — prioritize patching and session hygiene for any device used through a browser-based admin workflow.

Recommended defensive actions

• Update affected Elecom firmware to a version newer than 1.08 using the vendor guidance referenced in the Elecom and JVN advisories.
• Confirm which WRC-X3000 model is deployed and inventory any devices matching the affected product names.
• Avoid browsing untrusted websites while logged in to the router administration interface.
• Limit access to the management interface to trusted networks or other controlled administration paths where possible.
• Review the Elecom and JVN advisories for the vendor's remediation guidance and any model-specific notes.

Evidence notes

This debrief is based on the official CVE record, the NVD detail, the NVD JSON source item, the JVN advisory, and the Elecom security advisory. The source corpus identifies the affected models in the description and lists vulnerable firmware versions through 1.08 for the matching Elecom CPE entries. The CVSS vector and CWE-79 classification are taken from the official NVD metadata. CVE-2024-34577 was published on 2024-08-30; the NVD record was later modified on 2026-05-12, which is a record-update date rather than the vulnerability's original disclosure date.

Official resources