External risk intelligence

ELECOM wireless access points could allow external attackers to take control of the device.

ELECOM wireless LAN access points could allow attackers on your network to change device settings without authentication, potentially exposing critical network controls. This could result in unintended configuration changes or connectivity disruptions.

NVD published May 13, 2026 (2 days ago)

External risk briefCRITICAL

CVE-2026-40621

Halo Surface Signal

2/ 5

The vulnerability affects the administrative interface of a wireless access point. These interfaces are designed for internal network management. While they may be reachable in some network configurations, they are not intended to be exposed to the public internet, and such exposure is uncommon for this class of device.

Exposure facts

CVSS

9.3

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS

0.08%

H – Horizon Alert

A security vulnerability has been identified in certain ELECOM wireless LAN access points where specific URLs can be accessed without requiring authentication. Because the devices may be operated without needing to log in, unauthorized parties could potentially interact with or control system settings. This poses a business risk, as unauthorized access to network infrastructure can lead to unintended configuration changes or disruptions to connectivity.

A – Asset Exposure

This issue affects ELECOM wireless LAN access points, where certain administrative URLs do not enforce required authentication. This lack of access control means that unauthorized individuals on your network could potentially view sensitive settings or modify network controls. The extent of the risk depends on your specific deployment, specifically whether the management interface for these wireless devices is reachable by non-authorized users. Evaluating who can access these interface URLs is key to understanding the potential for unauthorized administrative changes.

L – Live Threat

The available security context does not indicate active exploitation or observed targeting of these wireless devices at this time. We have no confirmed reports of public exploit code or proof-of-concept activity linked to this issue. Consequently, there is no evidence of current live-threat activity associated with this vulnerability.

O – Operational Fix

Please prioritize reviewing your organization's ELECOM wireless LAN access point inventory to identify potentially affected units. As guidance is evolving, please refer directly to the official ELECOM security announcement for specific instructions on managing these devices. We recommend validating your current configurations against these vendor recommendations to ensure your access points are properly secured.