Description
The WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) exposes an unprotected UART interface through accessible hardware pads on the PCB
Published: 2026-03-18
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Potential device takeover via open UART interface
Action: Assess impact
AI Analysis

Impact

The WiFi Extender WDR201A (hardware version V2.1, firmware LFMZX28040922V1.02) contains an unprotected UART interface that is accessible through exposed hardware pads on the printed circuit board. This flaw allows an attacker to transmit commands directly to the device’s processor without authentication, leading to potential arbitrary code execution, privilege escalation, or other unauthorized actions. The vulnerability is classified as CWE‑912, which indicates an improper identification or use of a device interface as being insecure or exposed. The specific impact is that an entity with physical access to the device can compromise the extender, potentially allowing further propagation or misuse of the network.

Affected Systems

The affected system is the Yeapook WiFi Extender model WDR201A, hardware version V2.1. The firmware in question is LFMZX28040922V1.02. No other vendors or product lines are listed as affected in the CVE entry.

Risk and Exploitability

The CVSS score of 9.1 indicates a high severity assessment. EPSS is below 1%, denoting a low probability of exploitation in the wild, and the vulnerability is not currently included in the CISA KEV catalog. Based on the description, the exploit requires physical proximity to the exposed UART pads, so the attack vector is likely local or requires an attacker who can physically reach the device. Even though the exploitability is limited by this requirement, the potential for full device compromise warrants serious attention if the hardware is in a potentially insecure environment.

Generated by OpenCVE AI on March 19, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the presence of exposed UART pads on the affected extender
  • Physically disconnect or cover the UART pads to prevent unauthorized access
  • If possible, disable the UART functionality in firmware or through configuration
  • Implement physical security controls to restrict access to the device
  • Maintain up‑to‑date firmware from the vendor or request a patch address
  • Monitor for anomalous traffic or serial activity originating from the device

Generated by OpenCVE AI on March 19, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Title Unprotected UART Interface in Yeapook WDR201A WiFi Extender (CVE-2026-30704)

Thu, 19 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-912
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Shenzhen Yuner Yipu
Shenzhen Yuner Yipu wifi Extender Wdr201a
Vendors & Products Shenzhen Yuner Yipu
Shenzhen Yuner Yipu wifi Extender Wdr201a

Wed, 18 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description The WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) exposes an unprotected UART interface through accessible hardware pads on the PCB
References

Subscriptions

Shenzhen Yuner Yipu Wifi Extender Wdr201a
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-19T14:35:45.872Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30704

cve-icon Vulnrichment

Updated: 2026-03-19T14:35:41.070Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-18T18:16:28.077

Modified: 2026-03-19T15:16:26.580

Link: CVE-2026-30704

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:53:59Z

Weaknesses