Description
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the internet.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the gateway POST parameter. Attackers can exploit unsanitized parameter concatenation in the set_add_routing function to inject shell commands that are executed via popen() with partial output reflected in the HTTP response.
Published: 2026-05-04
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WDR201A WiFi Extender HW V2.1, FW LFMZX28040922V1.02 has an OS command injection in internet.cgi that lets unauthenticated remote attackers supply a malicious gateway POST value, which the set_add_routing function concatenates unsafely and passes to popen(). The result is arbitrary shell commands executed with the privileges of the webserver process, enabling full compromise of the device. The vulnerability provides complete code‑execution capability, allowing attackers to install malware, hijack traffic, or pivot to other network assets.

Affected Systems

Affected vendors and products include Shenzhen Yipu Commercial and Trading Co., Ltd’s WDR201A WiFi Extender model. The specific vulnerability applies to hardware version V2.1 running firmware LFMZX28040922V1.02. No other versions are listed as affected in the available data.

Risk and Exploitability

The CVSS score of 9.3 classifies this flaw as critical, indicating high exploitation likelihood and impact. While the EPSS score is not available, the absence of a KEV listing does not reduce the risk because the flaw allows unauthenticated remote command injection. The likely attack vector is a crafted HTTP POST request to internet.cgi over the public-facing interface, implying that any device exposed to the internet is vulnerable unless mitigated.

Generated by OpenCVE AI on May 4, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware release from Shenzhen Yipu that addresses the OS command injection vulnerability.
  • Restrict external access to the internet.cgi endpoint by configuring firewall rules or disabling the interface if not needed.
  • Implement network segmentation so that the WiFi extender is isolated from critical assets and monitor its logs for anomalous command execution attempts.

Generated by OpenCVE AI on May 4, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the internet.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the gateway POST parameter. Attackers can exploit unsanitized parameter concatenation in the set_add_routing function to inject shell commands that are executed via popen() with partial output reflected in the HTTP response.
Title WDR201A WiFi Extender OS Command Injection via internet.cgi
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-04T19:10:40.161Z

Reserved: 2026-04-22T18:50:43.619Z

Link: CVE-2026-41923

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T20:16:19.017

Modified: 2026-05-04T20:16:19.017

Link: CVE-2026-41923

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T20:30:08Z

Weaknesses