Description
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the makeRequest.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the set_time or StartSniffer functions. Attackers can craft a POST request with specially crafted ampersand-delimited parameters to bypass input sanitization and execute commands with a maximum length of 31 bytes through the date command or channel parameter processing.
Published: 2026-05-04
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WDR201A WiFi Extender contains an OS command injection flaw in the makeRequest.cgi component that allows an attacker to run arbitrary shell commands. The vulnerability is triggered by crafting a POST request with ampersand‑delimited parameters that bypass input filtering in the set_time or StartSniffer functions. The injected commands are limited to a maximum length of 31 bytes and are executed through the date command or channel parameter processing, giving remote attackers the ability to compromise the device’s operating system or execute arbitrary scripts.

Affected Systems

Affected systems are the Shenzhen Yipu Commercial and Trading Co., Ltd WDR201A WiFi Extender, hardware revision V2.1. The specific firmware susceptible to this issue is LFMZX28040922V1.02. No other versions or models are listed as vulnerable.

Risk and Exploitability

This vulnerability carries a CVSS score of 9.3, indicating very high severity. The EPSS score is not available, but the attacker only needs to send a single unauthenticated POST request to a publicly reachable endpoint, making exploitation straightforward. The flaw is not currently listed in the CISA KEV catalog, yet the lack of authentication constraints and the ability to execute shell commands make the risk significant for any deployed device.

Generated by OpenCVE AI on May 4, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware revision issued by Shenzhen Yipu that addresses the makeRequest.cgi command injection issue.
  • If a patch is not immediately available, block or restrict network access to the makeRequest.cgi endpoint using firewall or ACL rules, limiting exposure to trusted hosts.
  • Disable or remove unused StartSniffer or set_time functionality on the device, or configure the device to run only the minimum required services and restrict remote administrative access to the local network.

Generated by OpenCVE AI on May 4, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 04 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the makeRequest.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the set_time or StartSniffer functions. Attackers can craft a POST request with specially crafted ampersand-delimited parameters to bypass input sanitization and execute commands with a maximum length of 31 bytes through the date command or channel parameter processing.
Title WDR201A WiFi Extender OS Command Injection via makeRequest.cgi
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-04T20:17:14.500Z

Reserved: 2026-04-22T18:50:43.619Z

Link: CVE-2026-41924

cve-icon Vulnrichment

Updated: 2026-05-04T20:17:11.387Z

cve-icon NVD

Status : Received

Published: 2026-05-04T20:16:19.153

Modified: 2026-05-04T20:16:19.153

Link: CVE-2026-41924

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T20:30:08Z

Weaknesses