Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
A command injection vulnerability exists in the web management interface of the WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02). The adm.cgi endpoint improperly sanitizes user-supplied input provided to a command-related parameter in the sysCMD functionality.
AnalysisAI
Unauthenticated remote code execution in WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) via command injection in the adm.cgi sysCMD parameter allows attackers to achieve complete system compromise without authentication or user interaction. The vulnerability stems from insufficient input validation on the web management interface and currently lacks a vendor patch.
Technical ContextAI
The vulnerability resides in the web-based management interface of a consumer WiFi extender device, specifically within the adm.cgi Common Gateway Interface script. The sysCMD functionality appears to accept user-supplied parameters without adequate input validation or sanitization, allowing shell metacharacters and command separators (such as semicolons, pipes, or backticks) to be injected into system command execution contexts. This represents a classic command injection flaw (CWE category) where insufficient input filtering on command-line operations permits an attacker to break out of the intended command syntax and execute arbitrary shell commands with the privileges of the web server process (typically root on embedded devices). The affected device is identified as the WiFi Extender WDR201A with CPE cpe:2.3:a:n/a:n/a:*:*:*:*:*:*:*:* (vendor/product identification was not fully specified in available intelligence), running firmware version LFMZX28040922V1.02 or earlier on hardware revision 2.1.
RemediationAI
Contact the device manufacturer (WDR/Yeapook or OEM equivalent) to obtain and install the latest available firmware for the WDR201A hardware version 2.1. Immediately change all default administrative credentials used to access the web management interface and implement strong, unique passwords. If a firmware update is not available from the vendor, consider the following compensating controls: restrict network access to the device's web management interface (port 80/443) to a specific trusted management network or IP address range using a firewall or VLAN; disable web-based management entirely if possible and manage the device via alternative methods; isolate the WiFi extender on a separate network segment to limit lateral movement in case of compromise. Monitor for signs of unauthorized access or command execution on the device. For organizations managing multiple WDR201A devices, this vulnerability should be treated as high priority for patching or replacement planning. References: EUVDA tracking ID EUVD-2026-12876 and security research disclosure at https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/cybersecurity/cve/2026/02/18/From-Blackbox-to-Whitebox-Multiple-CVEs-in-a-Consumer-WiFi-Extender.html.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12876