Skip to main content

WDR201A WiFi Extender CVE-2026-41924

| EUVDEUVD-2026-27121 CRITICAL
OS Command Injection (CWE-78)
2026-05-04 VulnCheck
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 04, 2026 - 22:15 vuln.today
CVSS changed
May 04, 2026 - 20:22 NVD
9.3 (CRITICAL)

DescriptionCVE.org

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the makeRequest.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the set_time or StartSniffer functions. Attackers can craft a POST request with specially crafted ampersand-delimited parameters to bypass input sanitization and execute commands with a maximum length of 31 bytes through the date command or channel parameter processing.

AnalysisAI

Remote code execution in WDR201A WiFi Extender (HW V2.1, FW ≤1.02) allows unauthenticated network attackers to execute arbitrary OS commands via the makeRequest.cgi binary. Exploitation requires no user interaction and has CVSS:4.0 score of 9.3. Publicly available exploit code exists (confirmed by VulnCheck and CISA SSVC framework), enabling automated attacks against exposed devices. SSVC designates this as automatable with total technical impact, representing immediate operational risk to internet-facing extenders.

Technical ContextAI

This vulnerability affects the makeRequest.cgi CGI binary in WDR201A WiFi Extender firmware manufactured by Shenzhen Yipu Commercial and Trading Co., Ltd. The affected product (CPE: cpe:2.3:a:shenzhen_yipu_commercial_and_trading_co.,_ltd:wdr201a_wifi_extender:*:*:*:*:*:*:*:*) runs a lightweight embedded web server processing HTTP POST requests through CGI scripts. The root cause is CWE-78 (OS Command Injection), where the set_time and StartSniffer functions pass unsanitized user input directly to system shell commands. Specifically, ampersand-delimited parameters in POST requests reach the date command and channel parameter processing routines without proper input validation. The 31-byte length constraint suggests the vulnerability exploits fixed-size buffers or command string concatenation in the firmware's time synchronization and WiFi monitoring features. Consumer-grade IoT devices like WiFi extenders typically run BusyBox or similar minimal Linux distributions with web management interfaces exposed by default, making them attractive targets for botnet recruitment.

RemediationAI

No vendor-released patch identified at time of analysis - the manufacturer (Shenzhen Yipu Commercial and Trading Co., Ltd.) has not published security updates or firmware downloads accessible through standard channels. Organizations must implement network-level compensating controls immediately: (1) Isolate WDR201A devices on segregated VLAN with no internet exposure and restrict management interface access to trusted administrator IP ranges only - this prevents remote unauthenticated exploitation but impairs remote management convenience; (2) Deploy firewall rules blocking inbound HTTP/HTTPS to TCP ports 80/443 on extender management IPs from WAN and untrusted LAN segments - effectiveness depends on correct identification of all device instances; (3) Replace affected hardware with alternative WiFi extenders from vendors with established CVE response programs if business continuity permits capital expenditure. Organizations should monitor VulnCheck advisory (https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-makerequest-cgi) and researcher disclosure (https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.html) for any subsequent patch releases. Given typical consumer IoT support lifecycles, firmware updates are unlikely for hardware revision V2.1 manufactured circa 2020-2022.

Share

CVE-2026-41924 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy