Description
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the wireless.cgi binary that allow unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the sz11gChannel or PIN POST parameters. Attackers can exploit unsanitized parameter handling in the set_wifi_basic and set_wifi_do_wps functions to achieve remote code execution without authentication.
Published: 2026-05-04
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the wireless.cgi component of the WDR201A WiFi Extender and allows an attacker to inject arbitrary shell commands through the sz11gChannel or PIN POST parameters. Because the set_wifi_basic and set_wifi_do_wps functions do not sanitize these inputs, an unauthenticated remote user can execute commands on the device’s operating system. The weakness is identified as an OS command injection (CWE-78).

Affected Systems

The affected product is the Shenzhen Yipu Commercial and Trading Co., Ltd WDR201A WiFi Extender, model WDR201A (hardware version V2.1, firmware LFMZX28040922V1.02). No other vendors or versions are listed as affected.

Risk and Exploitability

The CVSS score of 9.3 reflects a high likelihood of successful exploitation and critical impact. The EPSS score is not available, but given that the flaw allows unauthenticated remote code execution and the device is network-facing, the real-world risk is substantial. The vulnerability is not listed in CISA KEV, but its severity and lack of authentication requirements make it highly attractive to threat actors. Attackers would simply need to send crafted POST requests to the wireless.cgi endpoint; no prior access or credentials are required.

Generated by OpenCVE AI on May 4, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor-released firmware update that removes the command injection flaw.
  • If no patch is available, disable the wireless.cgi interface or block HTTP traffic to the device from untrusted networks using firewall rules.
  • Restrict or remove the ability to use WPS and channel configuration functions, or enforce strict input validation for sz11gChannel and PIN parameters.

Generated by OpenCVE AI on May 4, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the wireless.cgi binary that allow unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the sz11gChannel or PIN POST parameters. Attackers can exploit unsanitized parameter handling in the set_wifi_basic and set_wifi_do_wps functions to achieve remote code execution without authentication.
Title WDR201A WiFi Extender OS Command Injection via wireless.cgi
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-04T20:04:36.802Z

Reserved: 2026-04-22T18:50:43.619Z

Link: CVE-2026-41922

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T20:16:18.860

Modified: 2026-05-04T20:16:18.860

Link: CVE-2026-41922

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T21:00:09Z

Weaknesses