Description
The web interface of the WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) contains hardcoded credential disclosure mechanisms (in the form of Server Side Include) within multiple server-side web pages, including login.shtml and settings.shtml. These pages embed server-side execution directives that dynamically retrieve and expose the web administration password from non-volatile memory at runtime.
Published: 2026-03-18
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Credential Disclosure
Action: Apply Firmware Update
AI Analysis

Impact

Server‑side include directives embedded in multiple web pages such as login.shtml and settings.shtml reveal the administrator password stored in non‑volatile memory when the pages are rendered. This flaw allows an attacker who can reach the device’s web interface to obtain the password and gain full control over the extender, bypassing authentication. The weakness stems from hard‑coded credential disclosure (CWE‑798) and results in a direct compromise of confidentiality, integrity, and availability of the network portion managed by the device.

Affected Systems

Devices affected by this vulnerability are the WiFi Extender WDR201A, hardware version 2.1 running firmware LFMZX28040922V1.02 from the manufacturer Yeapook. No other vendor or product versions are currently listed as impacted.

Risk and Exploitability

The CVSS score of 9.1 indicates a high severity rating, while the EPSS score below 1% suggests limited current exploitation. Nevertheless, the flaw is publicly documented and could be exploited remotely by anyone with network access to the extender’s web management interface. The vulnerability is not yet listed in the CISA KEV catalog, but operators should treat it as a high‑risk exposure and act promptly. The likely attack vector is a web‑based request to any of the affected pages; an attacker need only deliver a simple HTTP request to the device’s IP address to trigger the credential disclosure.

Generated by OpenCVE AI on March 23, 2026 at 17:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and install the latest firmware release from Yeapook that removes hard‑coded credential disclosure

Generated by OpenCVE AI on March 23, 2026 at 17:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-798
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Shenzhen Yuner Yipu
Shenzhen Yuner Yipu wifi Extender Wdr201a
Vendors & Products Shenzhen Yuner Yipu
Shenzhen Yuner Yipu wifi Extender Wdr201a

Wed, 18 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description The web interface of the WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) contains hardcoded credential disclosure mechanisms (in the form of Server Side Include) within multiple server-side web pages, including login.shtml and settings.shtml. These pages embed server-side execution directives that dynamically retrieve and expose the web administration password from non-volatile memory at runtime.
References

Subscriptions

Shenzhen Yuner Yipu Wifi Extender Wdr201a
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-23T15:56:53.466Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30701

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-18T18:16:27.737

Modified: 2026-03-23T16:16:45.580

Link: CVE-2026-30701

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:54:01Z

Weaknesses