Description
A command injection vulnerability exists in the web management interface of the WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02). The adm.cgi endpoint improperly sanitizes user-supplied input provided to a command-related parameter in the sysCMD functionality.
Published: 2026-03-18
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A command injection flaw exists in the adm.cgi endpoint of the WiFi Extender WDR201A’s web management interface. The sysCMD functionality fails to sanitize user input for a command‑related parameter, allowing an attacker to execute arbitrary shell commands on the device. This weakness, identified as CWE‑78, could be used to compromise the integrity, confidentiality, and availability of the extender and the network it serves.

Affected Systems

The vulnerability impacts the WiFi Extender WDR201A, hardware version 2.1 running firmware LFMZX28040922V1.02. No other models or firmware versions are listed as affected.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, while the EPSS score of less than 1% suggests low current exploitation prevalence. The flaw is not cataloged in the CISA KEV list. The attack vector is inferred to be remote, via the device’s exposed HTTP-based management interface, and would require only unauthenticated or low‑privilege access to the web UI.

Generated by OpenCVE AI on March 23, 2026 at 17:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update that resolves the command injection flaw for the WiFi Extender WDR201A.
  • If a firmware patch is unavailable, disable or remove the sysCMD feature from the web management interface or restrict access to the management port to a trusted local network segment.
  • Implement firewall rules to block external access to the extender’s web interface and enforce strong authentication if the device supports it.
  • Consider replacing the device with a model that has no known vulnerabilities if patching or disabling features is not feasible.

Generated by OpenCVE AI on March 23, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Title Command Injection in WiFi Extender Web Interface Leading to Remote Code Execution

Mon, 23 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Shenzhen Yuner Yipu
Shenzhen Yuner Yipu wdr201a
Vendors & Products Shenzhen Yuner Yipu
Shenzhen Yuner Yipu wdr201a

Wed, 18 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description A command injection vulnerability exists in the web management interface of the WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02). The adm.cgi endpoint improperly sanitizes user-supplied input provided to a command-related parameter in the sysCMD functionality.
References

Subscriptions

Shenzhen Yuner Yipu Wdr201a
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-23T15:56:39.241Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30703

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-18T18:16:27.967

Modified: 2026-03-23T16:16:45.920

Link: CVE-2026-30703

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:53:59Z

Weaknesses