Description
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the firewall.cgi binary across five request handlers that apply insufficient input validation. Attackers can inject arbitrary shell commands through vulnerable parameters like websURLFilter, websHostFilter, portForward, singlePortForward, and ipportFilter using subshell syntax or unfiltered parameters, with payloads persisting in NVRAM and re-executing on every subsequent firewall.cgi request.
Published: 2026-05-04
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an OS command injection in the firewall.cgi component of the WDR201A WiFi Extender, which allows an attacker to supply arbitrary shell commands via parameters such as websURLFilter, websHostFilter, portForward, singlePortForward, and ipportFilter. The syscall is executed with subshell syntax or unfiltered input, and the payloads are stored in NVRAM so they run on every subsequent request to firewall.cgi. This flaw is a classic CWE‑78; the impact is the ability for an attacker to take full control of the device’s operating system, compromising confidentiality, integrity and availability of the network infrastructure.

Affected Systems

Affected are the Shenzhen Yipu Commercial and Trading Co., Ltd WDR201A WiFi Extender, hardware version V2.1 with firmware LFMZX28040922V1.02. No other vendor or product versions are listed in the CNA data.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.3, indicating a high severity. No EPSS score is available, and the flaw is not listed in CISA’s KEV catalog. The attack vector is inferred to be local network or remote HTTP access to the device’s web interface, requiring the attacker to know the device’s address and authenticated or unauthenticated access to the affected CGI. The persistence of payloads in NVRAM raises the likelihood of repeated exploitation.

Generated by OpenCVE AI on May 4, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and install the vendor‑supplied firmware update that removes the insecure input handling in firewall.cgi.
  • If an update is not available, limit exposure by disabling or removing the vulnerable parameters (websURLFilter, websHostFilter, portForward, singlePortForward, ipportFilter) through configuration or access control.
  • Run firewall.cgi under the least privileged user account and isolate the process from higher‑privilege system services to reduce the impact of any successful injection.

Generated by OpenCVE AI on May 4, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Shenzhen Yuner Yipu
Shenzhen Yuner Yipu wifi Extender Wdr201a
Vendors & Products Shenzhen Yuner Yipu
Shenzhen Yuner Yipu wifi Extender Wdr201a

Mon, 04 May 2026 20:00:00 +0000

Type Values Removed Values Added
References

Mon, 04 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the firewall.cgi binary across five request handlers that apply insufficient input validation. Attackers can inject arbitrary shell commands through vulnerable parameters like websURLFilter, websHostFilter, portForward, singlePortForward, and ipportFilter using subshell syntax or unfiltered parameters, with payloads persisting in NVRAM and re-executing on every subsequent firewall.cgi request.
Title WDR201A WiFi Extender OS Command Injection via firewall.cgi
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Shenzhen Yuner Yipu Wifi Extender Wdr201a
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-18T20:17:15.005Z

Reserved: 2026-04-22T18:50:43.620Z

Link: CVE-2026-41926

cve-icon Vulnrichment

Updated: 2026-05-06T13:57:31.786Z

cve-icon NVD

Status : Deferred

Published: 2026-05-04T20:16:19.450

Modified: 2026-05-05T19:47:31.297

Link: CVE-2026-41926

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T09:22:35Z

Weaknesses