CVE-2022-25915

Q: What is the severity of CVE-2022-25915?

CVE-2022-25915 has a CVSS score of 8.8 (HIGH). This vulnerability allows an attacker on the same network who has already authenticated to bypass access controls and reach the router's management interface. It affects multiple ELECOM LAN router models with specific firmware versions, potentially exposing administrative functions to unauthorized users.

8.8 HIGH

Authentication Bypass

📋 TL;DR

This vulnerability allows an attacker on the same network who has already authenticated to bypass access controls and reach the router's management interface. It affects multiple ELECOM LAN router models with specific firmware versions, potentially exposing administrative functions to unauthorized users.

💻 Affected Systems

Products:

WRC-1167GST2
WRC-1167GST2A
WRC-1167GST2H
WRC-2533GS2-B
WRC-2533GS2-W
WRC-1750GS
WRC-1750GSV
WRC-1900GST
WRC-2533GST
WRC-2533GSTA
WRC-2533GST2
WRC-2533GST2SP
WRC-2533GST2-G
EDWRC-2533GST2

Versions: Various firmware versions up to specified maximums (e.g., v1.25 and prior for many models)

Operating Systems: Router firmware only

Default Config Vulnerable: ⚠️ Yes

Notes: All listed firmware versions are vulnerable in default configurations. Attackers must be network-adjacent and authenticated.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could gain full administrative control of the router, allowing them to reconfigure network settings, intercept traffic, deploy malware, or use the device as a pivot point for further attacks.

🟠

Likely Case

An authenticated attacker could access management functions they shouldn't have permission to use, potentially changing network configurations or viewing sensitive information.

🟢

If Mitigated

With proper network segmentation and strong authentication controls, the impact is limited to authorized users who might gain elevated privileges they don't need.

🌐 Internet-Facing: LOW (These are LAN routers typically not directly internet-facing, though WAN interfaces exist)

🏢 Internal Only: HIGH (Attackers must be network-adjacent, but internal networks often have many authenticated users)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW (Requires network access and authentication, but bypass is unspecified)

The exploit vector is unspecified in public disclosures, suggesting limited technical details are available. Attackers need existing network access and authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Varies by model (e.g., WRC-1167GST2 firmware v1.26, WRC-2533GS2-B firmware v1.53)

Vendor Advisory: https://www.elecom.co.jp/news/security/20211130-01/

Restart Required: Yes

Instructions:

1. Identify your router model and current firmware version. 2. Visit ELECOM support website for your region. 3. Download the latest firmware for your specific model. 4. Access router admin interface. 5. Navigate to firmware update section. 6. Upload and apply the new firmware. 7. Reboot the router.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate router management interface to a dedicated VLAN or restrict access to trusted management hosts only.

Access Control Lists

all

Implement firewall rules to restrict access to router management ports (typically 80/443) from authorized IP addresses only.

🧯 If You Can't Patch

Implement strict network segmentation to limit which devices can communicate with the router's management interface.
Use strong authentication mechanisms and regularly audit user accounts with access to the router.

🔍 How to Verify

Check if Vulnerable:

Check router web interface for model and firmware version, compare against affected lists in advisory.

Check Version:

Access router web interface → System Information or similar section to view firmware version.

Verify Fix Applied:

After updating, verify firmware version in admin interface matches or exceeds patched versions listed in advisory.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication attempts to router management interface
Access from unexpected IP addresses to admin pages
Configuration changes from non-admin users

Network Indicators:

Unexpected traffic to router management ports (80/443) from non-management hosts
Multiple failed authentication attempts followed by successful access

SIEM Query:

source_ip IN (non-management_subnets) AND dest_port IN (80,443) AND dest_ip = router_ip AND http_user_agent CONTAINS 'admin'

📊 Metadata

CVE ID: CVE-2022-25915

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: March 31, 2022

Last Updated: November 21, 2024

🔗 References

https://jvn.jp/en/jp/JVN88993473/ Third Party Advisory
https://www.elecom.co.jp/news/security/20211130-01/ Patch,Vendor Advisory
https://jvn.jp/en/jp/JVN88993473/ Third Party Advisory
https://www.elecom.co.jp/news/security/20211130-01/ Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Edwrc 2533gst2 Firmware by Elecom

Wmc 2hc W Firmware by Elecom

Wmc C2533gst W Firmware by Elecom

Wmc Dlgst2 W Firmware by Elecom

Wmc M1267gst2 W Firmware by Elecom

Wrc 1167gs2 B Firmware by Elecom

Wrc 1167gs2h B Firmware by Elecom

Wrc 1167gst2 Firmware by Elecom

Wrc 1167gst2a Firmware by Elecom

Wrc 1167gst2h Firmware by Elecom

Wrc 1750gs Firmware by Elecom

Wrc 1750gst2 Firmware by Elecom

Wrc 1750gsv Firmware by Elecom

Wrc 1900gst Firmware by Elecom

Wrc 1900gst2 Firmware by Elecom

Wrc 1900gst2sp Firmware by Elecom

Wrc 2533gs2 B Firmware by Elecom

Wrc 2533gs2 W Firmware by Elecom

Wrc 2533gst Firmware by Elecom

Wrc 2533gst2 Firmware by Elecom

Wrc 2533gst2 G Firmware by Elecom

Wrc 2533gst2sp Firmware by Elecom

Wrc 2533gsta Firmware by Elecom