Description
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the wireless.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the sz11gChannel or PIN POST parameters. Attackers can exploit unsanitized parameter handling in the set_wifi_basic and set_wifi_do_wps functions to achieve remote code execution without authentication.
Published: 2026-05-04
Score: 9.3 Critical
EPSS: 1.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An OS command injection flaw exists in the wireless.cgi binary of the WDR201A WiFi Extender (hardware V2.1, firmware LFMZX28040922V1.02). Attackers may supply malicious input in the sz11gChannel or PIN POST parameters, which are passed unsanitized to the set_wifi_basic or set_wifi_do_wps functions, enabling arbitrary shell command execution. Because the vulnerability is triggered purely by HTTP POST requests and requires no authentication, any network host that can reach the device can potentially compromise the system.

Affected Systems

The affected product is the Shenzhen Yipu Commercial and Trading Co., Ltd WDR201A WiFi Extender, model WDR201A (hardware version V2.1, firmware LFMZX28040922V1.02). No other vendors or versions are listed as affected.

Risk and Exploitability

The CVSS score of 9.3 reflects a high likelihood of successful exploitation and critical impact. The EPSS score is 1%, indicating a low but nonzero probability of exploitation in real world situations. The vulnerability is not listed in CISA KEV, but the combination of remote unauthenticated command injection and the device’s network‑facing nature makes it highly attractive to threat actors. Attackers need only send crafted POST requests to the wireless.cgi endpoint; no prior access or credentials are required.

Generated by OpenCVE AI on May 26, 2026 at 14:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑released firmware update that removes the command injection flaw.
  • If no patch is available, disable the wireless.cgi interface or block HTTP traffic to the device from untrusted networks using firewall rules.
  • Restrict or remove the ability to use WPS and channel configuration functions, or enforce strict input validation for sz11gChannel and PIN parameters.

Generated by OpenCVE AI on May 26, 2026 at 14:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the wireless.cgi binary that allow unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the sz11gChannel or PIN POST parameters. Attackers can exploit unsanitized parameter handling in the set_wifi_basic and set_wifi_do_wps functions to achieve remote code execution without authentication. WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the wireless.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the sz11gChannel or PIN POST parameters. Attackers can exploit unsanitized parameter handling in the set_wifi_basic and set_wifi_do_wps functions to achieve remote code execution without authentication.

Fri, 08 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Shenzhen Yuner Yipu
Shenzhen Yuner Yipu wifi Extender Wdr201a
Vendors & Products Shenzhen Yuner Yipu
Shenzhen Yuner Yipu wifi Extender Wdr201a

Mon, 04 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the wireless.cgi binary that allow unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the sz11gChannel or PIN POST parameters. Attackers can exploit unsanitized parameter handling in the set_wifi_basic and set_wifi_do_wps functions to achieve remote code execution without authentication.
Title WDR201A WiFi Extender OS Command Injection via wireless.cgi
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Shenzhen Yuner Yipu Wifi Extender Wdr201a
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-26T11:52:16.851Z

Reserved: 2026-04-22T18:50:43.619Z

Link: CVE-2026-41922

cve-icon Vulnrichment

Updated: 2026-05-04T20:04:28.542Z

cve-icon NVD

Status : Deferred

Published: 2026-05-04T20:16:18.860

Modified: 2026-05-26T14:16:36.380

Link: CVE-2026-41922

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T15:00:10Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')