Description
The WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) implements a broken authentication mechanism in its web management interface. The login page does not properly enforce session validation, allowing attackers to bypass authentication by directly accessing restricted web application endpoints through forced browsing
Published: 2026-03-18
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authentication bypass in web interface
Action: Patch immediately
AI Analysis

Impact

The WiFi Extender WDR201A firmware implements a broken authentication mechanism within its web management interface. The login page does not enforce proper session validation, allowing attackers to bypass authentication by directly accessing restricted endpoints via forced browsing. The weakness is a classic authentication bypass (CWE‑285) and enables an attacker to gain full control of the device’s configuration and settings without needing valid credentials.

Affected Systems

The vulnerability affects the WiFi Extender WDR201A model, hardware version 2.1 and firmware LFMZX28040922V1.02. No other vendors or products are identified. The device is typically deployed in residential or small‑business networks.

Risk and Exploitability

The CVE carries a CVSS base score of 9.8, indicating a high‑severity vulnerability. The EPSS score is below 1 %, suggesting that exploitation is unlikely to be widespread; however, the device is usually accessible on local networks, making forced browsing feasible for attackers with network access. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit it remotely by sending crafted HTTP requests to the management interface and bypass authentication altogether.

Generated by OpenCVE AI on March 23, 2026 at 17:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device firmware to a version that resolves the authentication bypass or apply any available vendor patch.
  • Disable the web management interface if it is not required for operation and block external network access to it.
  • Restrict management interface access to the local network or via VPN and enforce strong network segmentation.
  • Monitor device logs for unauthorized access attempts and investigate any anomalous activity promptly.

Generated by OpenCVE AI on March 23, 2026 at 17:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Title Broken Authentication in WiFi Extender WDR201A Web Management Interface

Mon, 23 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-285
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Shenzhen Yuner Yipu
Shenzhen Yuner Yipu wdr201a
Vendors & Products Shenzhen Yuner Yipu
Shenzhen Yuner Yipu wdr201a

Wed, 18 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description The WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) implements a broken authentication mechanism in its web management interface. The login page does not properly enforce session validation, allowing attackers to bypass authentication by directly accessing restricted web application endpoints through forced browsing
References

Subscriptions

Shenzhen Yuner Yipu Wdr201a
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-23T15:56:47.034Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30702

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-18T18:16:27.860

Modified: 2026-03-23T16:16:45.750

Link: CVE-2026-30702

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:54:00Z

Weaknesses