Description
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the wireless.cgi binary that allow unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the sz11gChannel or PIN POST parameters. Attackers can exploit unsanitized parameter handling in the set_wifi_basic and set_wifi_do_wps functions to achieve remote code execution without authentication.
Published: 2026-05-04
Score: 9.3 Critical
EPSS: 1.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the wireless.cgi component of the WDR201A WiFi Extender and allows an attacker to inject arbitrary shell commands through the sz11gChannel or PIN POST parameters. Because the set_wifi_basic and set_wifi_do_wps functions do not sanitize these inputs, an unauthenticated remote user can execute commands on the device’s operating system. The weakness is identified as an OS command injection (CWE-78).

Affected Systems

The affected product is the Shenzhen Yipu Commercial and Trading Co., Ltd WDR201A WiFi Extender, model WDR201A (hardware version V2.1, firmware LFMZX28040922V1.02). No other vendors or versions are listed as affected.

Risk and Exploitability

The CVSS score of 9.3 reflects a high likelihood of successful exploitation and critical impact. The EPSS score is not available, but given that the flaw allows unauthenticated remote code execution and the device is network-facing, the real-world risk is substantial. The vulnerability is not listed in CISA KEV, but its severity and lack of authentication requirements make it highly attractive to threat actors. Attackers would simply need to send crafted POST requests to the wireless.cgi endpoint; no prior access or credentials are required.

Generated by OpenCVE AI on May 4, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor-released firmware update that removes the command injection flaw.
  • If no patch is available, disable the wireless.cgi interface or block HTTP traffic to the device from untrusted networks using firewall rules.
  • Restrict or remove the ability to use WPS and channel configuration functions, or enforce strict input validation for sz11gChannel and PIN parameters.

Generated by OpenCVE AI on May 4, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Shenzhen Yuner Yipu
Shenzhen Yuner Yipu wifi Extender Wdr201a
Vendors & Products Shenzhen Yuner Yipu
Shenzhen Yuner Yipu wifi Extender Wdr201a

Mon, 04 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the wireless.cgi binary that allow unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the sz11gChannel or PIN POST parameters. Attackers can exploit unsanitized parameter handling in the set_wifi_basic and set_wifi_do_wps functions to achieve remote code execution without authentication.
Title WDR201A WiFi Extender OS Command Injection via wireless.cgi
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Shenzhen Yuner Yipu Wifi Extender Wdr201a
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-11T23:11:47.333Z

Reserved: 2026-04-22T18:50:43.619Z

Link: CVE-2026-41922

cve-icon Vulnrichment

Updated: 2026-05-04T20:04:28.542Z

cve-icon NVD

Status : Deferred

Published: 2026-05-04T20:16:18.860

Modified: 2026-05-05T19:47:31.297

Link: CVE-2026-41922

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T09:22:41Z

Weaknesses