Overview
CVE-2026-40621 is a critical authentication bypass vulnerability affecting ELECOM wireless LAN access point devices. The flaw allows unauthenticated remote attackers to access specific protected URLs and operate affected devices without any authentication credentials.
The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical), reflecting the high impact on confidentiality, integrity, and availability with no authentication required for exploitation.
Technical Details
The vulnerability stems from missing authentication controls on certain device URL endpoints. Affected ELECOM access points fail to enforce authentication checks before granting access to administrative or sensitive functionality through specific URL paths.
| Field | Value |
|---|---|
| CVE ID | CVE-2026-40621 |
| CVSS Score | 9.8 (Critical) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Authentication | None required |
| Published | 2026-05-13 |
Impact
An unauthenticated attacker with network access to an affected ELECOM access point can:
- Access protected administration URLs without providing credentials
- Operate the device without authorization, including modifying configuration
- Potentially pivot to other network segments accessible through the compromised access point
- Intercept or redirect network traffic if attacker can alter routing or DNS settings
Given the network-accessible nature of wireless access points, this vulnerability is particularly dangerous in environments where management interfaces are reachable from untrusted networks.
Affected Products
ELECOM has confirmed that multiple wireless LAN access point product lines are impacted. Organizations using ELECOM networking equipment should verify their specific model against the vendor advisory.
Known affected device categories:
- ELECOM wireless LAN access points (multiple models)
Remediation
Immediate Steps
- Apply vendor patches as soon as ELECOM releases updated firmware addressing CVE-2026-40621
- Restrict network access to management interfaces — firewall or VLAN off device management ports from untrusted networks
- Audit access logs on affected devices for any unauthorized access attempts
- Change default credentials if not already done, as a defense-in-depth measure
Compensating Controls
Until patches are available:
- Place access point management interfaces on an isolated management VLAN
- Use firewall ACLs to limit which hosts can reach the device management port
- Enable intrusion detection rules for unexpected management interface traffic
- Monitor for unusual configuration changes on affected devices
Detection
Organizations should monitor for:
- Unexpected HTTP/HTTPS requests to access point management interfaces from unauthorized sources
- Configuration changes without corresponding authorized admin sessions
- Network traffic anomalies originating from or destined to affected access points
References
- NVD: CVE-2026-40621
- ELECOM Security Advisory (check vendor site for latest firmware)
- JVN Vulnerability Database: JVNVU#90672616