CVE-2026-22550 is an OS command injection vulnerability found in ELECOM CO.,LTD.'s wireless router models WRC-X1500GS-B and WRC-X1500GSA-B, specifically in firmware versions 1.12 and earlier. The vulnerability arises from improper neutralization of special elements in user-supplied input within the device's web interface or management functions. A logged-in user can craft a malicious request that injects arbitrary operating system commands, which the device executes with elevated privileges. This flaw allows an attacker to execute commands on the underlying operating system, potentially leading to full device compromise, unauthorized access to network traffic, or pivoting to other internal systems. The CVSS v3.0 base score of 7.2 reflects a high severity rating, with an attack vector over the network, low attack complexity, and requiring high privileges (logged-in user), but no user interaction. The vulnerability affects the confidentiality, integrity, and availability of the device and connected networks. No public exploit code or active exploitation has been reported yet, but the presence of this vulnerability in network infrastructure devices makes it a significant risk. The lack of available patches at the time of publication necessitates immediate mitigation steps by affected users.

For European organizations, exploitation of this vulnerability could lead to unauthorized control over critical network infrastructure devices, resulting in data breaches, interception or manipulation of network traffic, and disruption of network services. Given that these devices are often used in enterprise or sensitive environments, attackers could leverage this vulnerability to establish persistent footholds, move laterally within networks, or exfiltrate sensitive information. The high severity and ability to execute arbitrary OS commands mean that attackers could disable security controls, install malware, or cause denial of service. This risk is particularly acute for organizations in sectors such as finance, government, telecommunications, and critical infrastructure, where network reliability and confidentiality are paramount. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially if attackers develop exploits rapidly after disclosure.

Organizations should immediately identify all instances of ELECOM WRC-X1500GS-B and WRC-X1500GSA-B devices running firmware version 1.12 or earlier. Since no patch links are currently available, interim mitigations include restricting access to the device management interfaces to trusted networks and users only, enforcing strong authentication and session management, and monitoring for unusual command execution or network behavior. Network segmentation should be employed to isolate vulnerable devices from critical systems. Additionally, organizations should contact ELECOM for firmware updates or security advisories and apply patches as soon as they become available. Regularly auditing device configurations and logs for signs of exploitation attempts is recommended. Finally, consider replacing affected devices with models that have confirmed security updates if patching is delayed.