CVE-2026-22550 Elecom CVE debrief

Who should care

Network administrators, security teams, and anyone managing ELECOM wireless LAN devices should review this issue, especially where the affected models are used for wireless access or device management.

Technical summary

NVD lists this as CWE-78 (OS Command Injection) with CVSS 4.0 vector AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H. The vulnerability is network-reachable but requires high privileges, consistent with the description that a crafted request from a logged-in user can trigger arbitrary OS command execution on affected firmware. NVD currently identifies vulnerable firmware for ELECOM WRC-X1500GSA-B and WRC-X1500GS-B through version 1.13.

Defensive priority

High. The issue can lead to full command execution on impacted devices, so affected firmware should be treated as a priority for inventory, patching, and access hardening.

Recommended defensive actions

• Identify whether any ELECOM WRC-X1500GSA-B or WRC-X1500GS-B devices are deployed, and confirm the installed firmware version.
• Apply the vendor/JVN remediation guidance as soon as possible for any affected firmware, using only official ELECOM instructions.
• Restrict administrative and authenticated access to device management interfaces to the minimum necessary set of users and networks.
• Review logs and configuration changes for unexpected management requests or signs of command execution attempts.
• If immediate patching is not possible, isolate affected devices and reduce exposure of management interfaces until remediation is complete.

Evidence notes

This debrief is based on the official NVD record for CVE-2026-22550 and the linked JVN and ELECOM advisories. NVD records the vulnerability as modified on 2026-05-12 and published on 2026-02-03. The vendor-linked references describe the issue as OS command injection and identify affected ELECOM wireless LAN firmware.

Official resources