Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the internet.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the gateway POST parameter. Attackers can exploit unsanitized parameter concatenation in the set_add_routing function to inject shell commands that are executed via popen() with partial output reflected in the HTTP response.
AnalysisAI
OS command injection in WDR201A WiFi Extender firmware v1.02 allows unauthenticated remote attackers to execute arbitrary shell commands via the gateway parameter in internet.cgi. Exploitation requires no user interaction or authentication against internet-exposed devices. Public exploit code exists (VulnCheck advisory), demonstrating active security research interest. CVSS 9.3 reflects maximum network exploitability (AV:N/AC:L/PR:N/UI:N) with high confidentiality, integrity, and availability impact on the device itself. No vendor patch identified at time of analysis for this discontinued consumer IoT product.
Technical ContextAI
The vulnerability resides in the internet.cgi CGI binary's set_add_routing function, which performs unsanitized concatenation of user-supplied POST parameters before passing them to the popen() system call for shell command execution. This is a textbook CWE-78 OS Command Injection, where special shell metacharacters (e.g., semicolons, pipes, backticks) in the 'gateway' parameter break out of the intended command context. The affected product is a consumer WiFi range extender manufactured by Shenzhen Yipu Commercial and Trading Co., Ltd (CPE 2.3 identifier confirms vendor). Web-based management interfaces in IoT devices frequently expose CGI endpoints for configuration; when these endpoints lack input validation and use dangerous functions like popen() or system(), attackers can inject shell commands that execute with the privileges of the web server process (typically root on embedded devices).
RemediationAI
No vendor-released patch identified at time of analysis; the manufacturer (Shenzhen Yipu Commercial and Trading) does not appear to maintain public security advisories or firmware update portals based on available references. For affected WDR201A devices, implement these compensating controls immediately: (1) Ensure management interface is accessible only from trusted LAN segments - verify firewall rules block WAN access to HTTP/HTTPS management ports (typically TCP 80/443/8080) and disable UPnP port forwarding if enabled (trade-off: breaks remote management). (2) If devices must be remotely managed, place behind VPN gateway requiring strong authentication (adds operational complexity but prevents unauthenticated exploitation). (3) Monitor device for unexpected outbound connections to known botnet C2 infrastructure using network flow logs (detection-only, does not prevent compromise). (4) Long-term solution: replace with actively supported WiFi extender from vendor with established CVE response process. Advisory references: VulnCheck technical analysis at https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-internet-cgi and exploit details at https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.html.
More in Wdr201A Wifi Extender
View allRemote code execution in WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) allows unauthenticated network attackers
Remote code execution in WDR201A WiFi Extender (HW V2.1, FW ≤1.02) allows unauthenticated attackers to execute arbitrary
Remote unauthenticated command injection in WDR201A WiFi Extender (HW V2.1, FW ≤1.02) allows attackers to execute arbitr
Remote code execution in WDR201A WiFi Extender (HW V2.1, FW ≤1.02) allows unauthenticated network attackers to execute a
Stack-based buffer overflow in WDR201A WiFi Extender firewall.cgi and makeRequest.cgi binaries enables remote unauthenti
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27120