Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
The WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) implements a broken authentication mechanism in its web management interface. The login page does not properly enforce session validation, allowing attackers to bypass authentication by directly accessing restricted web application endpoints through forced browsing
AnalysisAI
This vulnerability implements a broken authentication mechanism in the WiFi Extender WDR201A (hardware version 2.1, firmware LFMZX28040922V1.02) web management interface, allowing attackers to bypass login controls through forced browsing of restricted endpoints without valid session validation. An attacker can directly access administrative functions and sensitive configuration pages by circumventing the authentication layer entirely. A proof-of-concept and detailed technical analysis have been published by security researchers, indicating this is a practical, demonstrable vulnerability affecting consumer-grade networking equipment with no official CVSS scoring yet assigned.
Technical ContextAI
The vulnerability involves a broken authentication implementation (CWE root cause class) in the web-based management interface of the WDR201A WiFi extender. The device fails to properly enforce session validation when users attempt to access restricted administrative endpoints, instead relying on client-side or easily-bypassable authentication checks. This is a common flaw in consumer IoT and networking devices where developers implement authentication through simple parameter checking or missing access control verification on backend handlers, rather than enforcing server-side session tokens and authentication gates on every protected resource. The affected firmware version LFMZX28040922V1.02 on hardware revision 2.1 does not validate that an unauthenticated user lacks the necessary session credentials before serving sensitive configuration pages, allowing direct traversal to admin functions via HTTP GET or POST requests.
RemediationAI
The primary remediation is to contact the device manufacturer for a firmware update that properly implements session validation and authentication enforcement; users should check the vendor's support page or the provided research disclosure for patch availability and timeline. If a firmware update is available, upgrade immediately to a version released after February 2026 that addresses this authentication bypass. Until a patch is deployed, apply compensating controls: isolate the device on a restricted network segment with firewall rules blocking unauthorized access to the management interface, change any default credentials to complex passwords, disable remote management access if available, and monitor for suspicious access attempts to the device's HTTP/HTTPS ports (typically 80/443 or 8080/8443). Consider replacing the device with an alternative that implements proper authentication standards if the vendor does not provide a timely security update.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12874