CVE-2024-23910 - Exploiting CSRF in ELECOM WiFi Routers and Repeaters – Real-World Impact & Exploit Details

In early 2024, a new cross-site request forgery (CSRF) vulnerability was disclosed in a range of ELECOM’s wireless LAN routers and repeaters, including popular units like WMC-X180GST-B and WSC-X180GS-B – also distributed as part of the e-Mesh Starter Kit “WMC-2LX-B”. This post breaks down what CVE-2024-23910 is, why it’s dangerous, how an exploit works, and what owners should do right now.

What is CVE-2024-23910?

CVE-2024-23910 describes a security vulnerability found in ELECOM network devices (original advisory in Japanese, JPCERT page). Due to insufficient CSRF protections in the web admin interface, a remote, unauthenticated attacker can trick an authenticated admin (someone logged into the router’s admin panel) into performing *unintended operations* – from changing WiFi passwords to reconfiguring the device itself.

Affected Devices

- WMC-X180GST-B – router/repeater, e-Mesh system

Both included in e-Mesh Starter Kit WMC-2LX-B

Other devices may be affected—check with official ELECOM support for up-to-date lists.

Why Is This Vulnerability Serious?

- No user interaction required: If an admin is *already logged in* to the web management interface and visits a malicious website, the device can be hijacked.
- Works remotely: Attackers can exploit routers over the local network (LAN) or, if remote access is enabled, the public internet.
- Full admin access: Attackers can perform *any* change the original admin could—reset passwords, open firewall holes, or even erase firmware.

How CSRF Works In These Routers

A CSRF attack happens when a legitimate, logged-in user is tricked into submitting a request to the device *on behalf of an attacker*—for example, by clicking an image, opening an email, or just loading an ad containing malicious code.

If the device doesn't check who sent the request (lacking “CSRF tokens” or other checks), it processes the command as if the admin intended it.

Step-By-Step Exploit Example

Let’s walk through a simple CSRF attack for this issue. Imagine an admin, Alice, is logged into her WMC-X180GST-B router’s web interface at http://192.168.2.1/.

The attacker knows that the “change admin password” form is at /apply.cgi?function=set_pwd and only requires an HTTP POST.

Example Attack HTML (placed on attacker’s website)

<!-- When the admin visits this page, the router password will be set to 'hacked123'. -->
<form action="http://192.168.2.1/apply.cgi?function=set_pwd" method="POST" id="evilForm">
  <input type="hidden" name="new_passwd" value="hacked123">
  <input type="hidden" name="confirm_passwd" value="hacked123">
</form>
<script>
  document.getElementById('evilForm').submit();
</script>

What happens next

- Alice visits a website controlled by the attacker, while she’s still logged into the router interface in another tab.

The admin password is changed to hacked123.

Note: This is just a hypothetical example based on typical router management UIs. Details like field names and endpoints may differ depending on firmware version; consult device documentation or the advisory for exact info.

What Makes This Vulnerability Worse?

- No CSRF tokens: The affected models’ web UI doesn’t require any CSRF token or referer checking.
- Plain HTTP: Many of these routers run unencrypted (HTTP, not HTTPS), making it easier for local network attackers to inject scripts.
- Default admin credentials: If unchanged, attackers don’t even need CSRF—they just log in directly.

References

- JPCERT/CC JVN#04705398 – ELECOM wireless LAN routers vulnerable to CSRF:
https://jvn.jp/en/jp/JVN04705398/

ELECOM Security Advisory (Japanese):

https://www.elecom.co.jp/news/security/20240326-01/

Common Vulnerabilities and Exposures – CVE-2024-23910:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23910

What Should Users Do?

1. Update your firmware: Check for the latest version and update ASAP. ELECOM support downloads has files and instructions.
2. Disable remote management: Unless you absolutely need it, turn off admin access from outside your network.
3. Always log out: After configuring your router, log out of the admin interface—don’t stay signed in!

Monitor ELECOM’s security page for further updates:

https://www.elecom.co.jp/news/security/

Conclusion

CVE-2024-23910 is simple, effective, and affects thousands of home and small business networks. If you have an ELECOM router or repeater—especially the WMC-X180GST-B, WSC-X180GS-B, or e-Mesh Starter Kit—be sure to patch now and tighten your security habits. The best defense is awareness.

Timeline

Published on: 02/28/2024 23:15:09 UTC
Last modified on: 08/01/2024 13:47:21 UTC