Description
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the adm.cgi binary's reboot_time function that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the reboot_time POST parameter. Attackers can send a crafted request with shell metacharacters in the reboot_time parameter when reboot_enabled=1 to achieve remote code execution.
Published: 2026-05-04
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an OS command injection vulnerability in the adm.cgi binary’s reboot_time function of the WDR201A WiFi Extender. When reboot_enabled is set to 1, an unauthenticated attacker can supply crafted input containing shell metacharacters in the reboot_time POST parameter, causing the device to execute arbitrary shell commands. This represents a full remote code execution capability per CWE‑78, allowing attackers to read, modify, or delete any data on the device and potentially use the extender as a pivot point for broader network attacks.

Affected Systems

The affected products are Shenzhen Yipu Commercial and Trading Co., Ltd’s WDR201A WiFi Extender. The specific hardware version is V2.1 and the firmware version identified is LFMZX28040922V1.02. No other vendor or product versions are listed as vulnerable in the available data.

Risk and Exploitability

The CVSS score of 9.3 places this vulnerability in the critical range, indicating a high potential impact and ease of exploitation. The EPSS score is not available, but the lack of validation or authentication combined with the ability to use any HTTP client to send the malicious POST request suggests a high likelihood of real-world exploitation. The vulnerability is not catalogued in the CISA KEV list, yet its exploitation could lead to device takeover, lateral movement, and compromise of any networks connected through the extender.

Generated by OpenCVE AI on May 4, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware release from Shenzhen Yipu that patches the OS command injection in adm.cgi
  • If an update is not yet available, block or firewall all access to /adm.cgi from external networks and restrict administrative interfaces to trusted IP ranges
  • Audit and monitor device logs for abnormal POST requests to adm.cgi and reboot_time parameters to detect attempted exploitation attempts

Generated by OpenCVE AI on May 4, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 04 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the adm.cgi binary's reboot_time function that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the reboot_time POST parameter. Attackers can send a crafted request with shell metacharacters in the reboot_time parameter when reboot_enabled=1 to achieve remote code execution.
Title WDR201A WiFi Extender OS Command Injection via adm.cgi (reboot_time)
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-04T19:40:39.886Z

Reserved: 2026-04-22T18:50:43.620Z

Link: CVE-2026-41925

cve-icon Vulnrichment

Updated: 2026-05-04T19:40:35.775Z

cve-icon NVD

Status : Received

Published: 2026-05-04T20:16:19.300

Modified: 2026-05-04T20:16:19.300

Link: CVE-2026-41925

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T20:30:08Z

Weaknesses