Description
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the firewall.cgi binary across five request handlers that apply insufficient input validation. Attackers can inject arbitrary shell commands through vulnerable parameters like websURLFilter, websHostFilter, portForward, singlePortForward, and ipportFilter using subshell syntax or unfiltered parameters, with payloads persisting in NVRAM and re-executing on every subsequent firewall.cgi request.
Published: 2026-05-04
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an OS command injection in the firewall.cgi component of the WDR201A WiFi Extender, which allows an attacker to supply arbitrary shell commands via parameters such as websURLFilter, websHostFilter, portForward, singlePortForward, and ipportFilter. The syscall is executed with subshell syntax or unfiltered input, and the payloads are stored in NVRAM so they run on every subsequent request to firewall.cgi. This flaw is a classic CWE‑78; the impact is the ability for an attacker to take full control of the device’s operating system, compromising confidentiality, integrity and availability of the network infrastructure.

Affected Systems

Affected are the Shenzhen Yipu Commercial and Trading Co., Ltd WDR201A WiFi Extender, hardware version V2.1 with firmware LFMZX28040922V1.02. No other vendor or product versions are listed in the CNA data.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.3, indicating a high severity. No EPSS score is available, and the flaw is not listed in CISA’s KEV catalog. The attack vector is inferred to be local network or remote HTTP access to the device’s web interface, requiring the attacker to know the device’s address and authenticated or unauthenticated access to the affected CGI. The persistence of payloads in NVRAM raises the likelihood of repeated exploitation.

Generated by OpenCVE AI on May 4, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and install the vendor‑supplied firmware update that removes the insecure input handling in firewall.cgi.
  • If an update is not available, limit exposure by disabling or removing the vulnerable parameters (websURLFilter, websHostFilter, portForward, singlePortForward, ipportFilter) through configuration or access control.
  • Run firewall.cgi under the least privileged user account and isolate the process from higher‑privilege system services to reduce the impact of any successful injection.

Generated by OpenCVE AI on May 4, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 20:00:00 +0000

Type Values Removed Values Added
References

Mon, 04 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the firewall.cgi binary across five request handlers that apply insufficient input validation. Attackers can inject arbitrary shell commands through vulnerable parameters like websURLFilter, websHostFilter, portForward, singlePortForward, and ipportFilter using subshell syntax or unfiltered parameters, with payloads persisting in NVRAM and re-executing on every subsequent firewall.cgi request.
Title WDR201A WiFi Extender OS Command Injection via firewall.cgi
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-04T19:19:26.495Z

Reserved: 2026-04-22T18:50:43.620Z

Link: CVE-2026-41926

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T20:16:19.450

Modified: 2026-05-04T20:16:19.450

Link: CVE-2026-41926

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T20:30:08Z

Weaknesses