Skip to main content

CVE-2026-30703

| EUVDEUVD-2026-12876 CRITICAL
OS Command Injection (CWE-78)
2026-03-18 mitre
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 18, 2026 - 17:30 euvd
EUVD-2026-12876
Analysis Generated
Mar 18, 2026 - 17:30 vuln.today
CVE Published
Mar 18, 2026 - 00:00 nvd
CRITICAL 9.8

DescriptionCVE.org

A command injection vulnerability exists in the web management interface of the WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02). The adm.cgi endpoint improperly sanitizes user-supplied input provided to a command-related parameter in the sysCMD functionality.

AnalysisAI

Unauthenticated remote code execution in WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) via command injection in the adm.cgi sysCMD parameter allows attackers to achieve complete system compromise without authentication or user interaction. The vulnerability stems from insufficient input validation on the web management interface and currently lacks a vendor patch.

Technical ContextAI

The vulnerability resides in the web-based management interface of a consumer WiFi extender device, specifically within the adm.cgi Common Gateway Interface script. The sysCMD functionality appears to accept user-supplied parameters without adequate input validation or sanitization, allowing shell metacharacters and command separators (such as semicolons, pipes, or backticks) to be injected into system command execution contexts. This represents a classic command injection flaw (CWE category) where insufficient input filtering on command-line operations permits an attacker to break out of the intended command syntax and execute arbitrary shell commands with the privileges of the web server process (typically root on embedded devices). The affected device is identified as the WiFi Extender WDR201A with CPE cpe:2.3:a:n/a:n/a:*:*:*:*:*:*:*:* (vendor/product identification was not fully specified in available intelligence), running firmware version LFMZX28040922V1.02 or earlier on hardware revision 2.1.

RemediationAI

Contact the device manufacturer (WDR/Yeapook or OEM equivalent) to obtain and install the latest available firmware for the WDR201A hardware version 2.1. Immediately change all default administrative credentials used to access the web management interface and implement strong, unique passwords. If a firmware update is not available from the vendor, consider the following compensating controls: restrict network access to the device's web management interface (port 80/443) to a specific trusted management network or IP address range using a firewall or VLAN; disable web-based management entirely if possible and manage the device via alternative methods; isolate the WiFi extender on a separate network segment to limit lateral movement in case of compromise. Monitor for signs of unauthorized access or command execution on the device. For organizations managing multiple WDR201A devices, this vulnerability should be treated as high priority for patching or replacement planning. References: EUVDA tracking ID EUVD-2026-12876 and security research disclosure at https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/cybersecurity/cve/2026/02/18/From-Blackbox-to-Whitebox-Multiple-CVEs-in-a-Consumer-WiFi-Extender.html.

Share

CVE-2026-30703 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy