Skip to main content

CVE-2026-30702

| EUVDEUVD-2026-12874 CRITICAL
Improper Authorization (CWE-285)
2026-03-18 mitre
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 18, 2026 - 17:30 euvd
EUVD-2026-12874
Analysis Generated
Mar 18, 2026 - 17:30 vuln.today
CVE Published
Mar 18, 2026 - 00:00 nvd
CRITICAL 9.8

DescriptionCVE.org

The WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) implements a broken authentication mechanism in its web management interface. The login page does not properly enforce session validation, allowing attackers to bypass authentication by directly accessing restricted web application endpoints through forced browsing

AnalysisAI

This vulnerability implements a broken authentication mechanism in the WiFi Extender WDR201A (hardware version 2.1, firmware LFMZX28040922V1.02) web management interface, allowing attackers to bypass login controls through forced browsing of restricted endpoints without valid session validation. An attacker can directly access administrative functions and sensitive configuration pages by circumventing the authentication layer entirely. A proof-of-concept and detailed technical analysis have been published by security researchers, indicating this is a practical, demonstrable vulnerability affecting consumer-grade networking equipment with no official CVSS scoring yet assigned.

Technical ContextAI

The vulnerability involves a broken authentication implementation (CWE root cause class) in the web-based management interface of the WDR201A WiFi extender. The device fails to properly enforce session validation when users attempt to access restricted administrative endpoints, instead relying on client-side or easily-bypassable authentication checks. This is a common flaw in consumer IoT and networking devices where developers implement authentication through simple parameter checking or missing access control verification on backend handlers, rather than enforcing server-side session tokens and authentication gates on every protected resource. The affected firmware version LFMZX28040922V1.02 on hardware revision 2.1 does not validate that an unauthenticated user lacks the necessary session credentials before serving sensitive configuration pages, allowing direct traversal to admin functions via HTTP GET or POST requests.

RemediationAI

The primary remediation is to contact the device manufacturer for a firmware update that properly implements session validation and authentication enforcement; users should check the vendor's support page or the provided research disclosure for patch availability and timeline. If a firmware update is available, upgrade immediately to a version released after February 2026 that addresses this authentication bypass. Until a patch is deployed, apply compensating controls: isolate the device on a restricted network segment with firewall rules blocking unauthorized access to the management interface, change any default credentials to complex passwords, disable remote management access if available, and monitor for suspicious access attempts to the device's HTTP/HTTPS ports (typically 80/443 or 8080/8443). Consider replacing the device with an alternative that implements proper authentication standards if the vendor does not provide a timely security update.

Share

CVE-2026-30702 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy