Description
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the adm.cgi binary's reboot_time function that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the reboot_time POST parameter. Attackers can send a crafted request with shell metacharacters in the reboot_time parameter when reboot_enabled=1 to achieve remote code execution.
Published: 2026-05-04
Score: 9.3 Critical
EPSS: 3.4% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an OS command injection flaw in the adm.cgi binary’s reboot_time function of the WDR201A WiFi Extender. When reboot_enabled is set to 1, an unauthenticated attacker can send a POST request containing shell metacharacters in the reboot_time parameter, causing the device to execute arbitrary shell commands. This represents a full remote code execution capability as defined by CWE-78, allowing attackers to read, modify, or delete any data on the device and potentially use the extender as a pivot point for broader network attacks.

Affected Systems

The affected product is the Shenzhen Yipu Commercial and Trading Co., Ltd WDR201A WiFi Extender hardware version V2.1 running firmware LFMZX28040922V1.02. No other vendor, product, or firmware versions are listed as vulnerable in the available data.

Risk and Exploitability

The CVSS score of 9.3 places this vulnerability in the critical range, indicating a high potential impact and ease of exploitation. The EPSS score of 3% suggests that the vulnerability has a moderate likelihood of being targeted in the wild. Because the flaw allows unauthenticated HTTP POST requests to /adm.cgi from any source, the practical risk of real‑world exploitation is high. The vulnerability is not currently listed in the CISA KEV catalog, but its exploitation could lead to device takeover, lateral movement, and compromise of networks connected through the extender.

Generated by OpenCVE AI on June 18, 2026 at 08:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a firmware update from Shenzhen Yipu that patches the OS command injection in adm.cgi’s reboot_time, ensuring proper input sanitization as a mitigation for CWE‑78.
  • If an update is unavailable, enforce strict input validation on the reboot_time parameter by allowing only alphanumeric values and rejecting any shell metacharacters, effectively neutralizing command injection.
  • Configure network access so that the administrative interface (/adm.cgi) is reachable only from trusted IP addresses or through a secure VPN, preventing unauthenticated external exploitation.

Generated by OpenCVE AI on June 18, 2026 at 08:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Shenzhen Yuner Yipu
Shenzhen Yuner Yipu wifi Extender Wdr201a
Vendors & Products Shenzhen Yuner Yipu
Shenzhen Yuner Yipu wifi Extender Wdr201a

Mon, 04 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 04 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the adm.cgi binary's reboot_time function that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the reboot_time POST parameter. Attackers can send a crafted request with shell metacharacters in the reboot_time parameter when reboot_enabled=1 to achieve remote code execution.
Title WDR201A WiFi Extender OS Command Injection via adm.cgi (reboot_time)
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Shenzhen Yuner Yipu Wifi Extender Wdr201a
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-11T23:11:49.523Z

Reserved: 2026-04-22T18:50:43.620Z

Link: CVE-2026-41925

cve-icon Vulnrichment

Updated: 2026-05-04T19:40:35.775Z

cve-icon NVD

Status : Deferred

Published: 2026-05-04T20:16:19.300

Modified: 2026-06-17T10:47:12.407

Link: CVE-2026-41925

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T08:45:03Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')