Skip to main content

CVE-2026-30701

| EUVDEUVD-2026-12872 CRITICAL
Use of Hard-coded Credentials (CWE-798)
2026-03-18 mitre
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 18, 2026 - 17:30 euvd
EUVD-2026-12872
Analysis Generated
Mar 18, 2026 - 17:30 vuln.today
CVE Published
Mar 18, 2026 - 00:00 nvd
CRITICAL 9.1

DescriptionCVE.org

The web interface of the WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) contains hardcoded credential disclosure mechanisms (in the form of Server Side Include) within multiple server-side web pages, including login.shtml and settings.shtml. These pages embed server-side execution directives that dynamically retrieve and expose the web administration password from non-volatile memory at runtime.

AnalysisAI

A WiFi Extender model WDR201A (hardware version 2.1, firmware LFMZX28040922V1.02) contains hardcoded credential disclosure vulnerabilities in its web administration interface through server-side include (SSI) directives embedded in critical pages such as login.shtml and settings.shtml. These directives dynamically retrieve and expose the web administration password from non-volatile memory during runtime, allowing unauthenticated attackers to obtain administrative credentials and gain full control of the device. A proof-of-concept and detailed technical analysis have been publicly disclosed by security researchers, indicating active awareness and potential exploitation in the wild.

Technical ContextAI

The vulnerability exploits improper use of Server-Side Include (SSI) directives, a server-side templating mechanism that executes embedded commands within HTML pages before serving them to clients. In this case, the SSI directives are configured to retrieve the web administration password from non-volatile storage (likely NVRAM or flash memory) and embed it directly into the HTML response sent to the client. This represents a failure in secure credential management practices; administrative credentials should never be retrieved or rendered in web responses, regardless of authentication state. The affected device is the WDR201A WiFi extender; while vendor identification is incomplete in the CPE string (cpe:2.3:a:n/a:n/a), cross-referencing with the public disclosure and Made-in-China manufacturer information suggests this is a budget consumer-grade IoT device. The root cause maps to CWE categories related to information disclosure, improper access control, and hardcoded credentials, combined with dangerous server-side template injection patterns.

RemediationAI

Immediate remediation requires contacting the device manufacturer or authorized distributor to determine if a firmware update addressing CVE-2026-30701 is available. If a patched firmware version exists, users should upgrade immediately via the device's web administration interface or firmware management tools. If no patch is available or the vendor is unresponsive, the following mitigations should be implemented: (1) Restrict network access to the device's web administration interface by disabling remote management features and limiting access to trusted local networks only, (2) Change the hardcoded web administration password immediately after device configuration (if the device interface permits), (3) Isolate the WiFi extender on a dedicated network segment with access controls preventing lateral movement, (4) Monitor network traffic for unauthorized access attempts to the administrative interface, and (5) Strongly consider replacing the device with a more recent model from a vendor with active security support. Users unable to patch should treat the device as compromised from a network security perspective and implement compensating controls such as network segmentation, intrusion detection, and credential monitoring.

Share

CVE-2026-30701 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy