Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the adm.cgi binary's reboot_time function that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the reboot_time POST parameter. Attackers can send a crafted request with shell metacharacters in the reboot_time parameter when reboot_enabled=1 to achieve remote code execution.
AnalysisAI
Remote code execution in WDR201A WiFi Extender (HW V2.1, FW ≤1.02) allows unauthenticated attackers to execute arbitrary OS commands via the adm.cgi binary's reboot_time parameter. The vulnerability stems from unsanitized input handling in the reboot scheduling function, exploitable by sending crafted POST requests with shell metacharacters when reboot_enabled=1. Public exploit code exists (CVSS 9.3, SSVC: automatable/total impact), making this a critical priority for affected deployments despite no confirmed CISA KEV listing at time of analysis.
Technical ContextAI
This is a classic OS command injection (CWE-78) vulnerability in embedded device firmware. The WDR201A WiFi Extender's web management interface uses CGI binaries (adm.cgi) for administrative functions. The reboot_time function fails to sanitize user input before passing it to system shell commands, allowing attackers to break out of intended command context using shell metacharacters (e.g., semicolons, pipes, backticks). The affected firmware version (LFMZX28040922V1.02) appears to be manufactured by Shenzhen Yipu Commercial and Trading Co., a supplier of networking equipment. The vulnerability resides in pre-authentication code paths, meaning the web interface processes the malicious parameter before credential verification.
RemediationAI
No vendor-released patch has been identified at time of analysis - the manufacturer's advisory status and firmware update availability remain unconfirmed from provided sources. Without an official fix, organizations must implement immediate compensating controls: (1) Isolate affected WDR201A devices on dedicated network segments with strict firewall rules blocking external access to the web management interface (typically TCP ports 80/443), understanding this prevents remote management but is necessary to block exploitation. (2) Disable remote administration features entirely if supported by device configuration, though firmware limitations may prevent full mitigation. (3) If isolation is infeasible, consider replacing devices with alternative products from vendors with active security support programs. (4) Deploy network-based IDS/IPS rules to detect POST requests to /adm.cgi containing shell metacharacters in reboot_time parameters. Monitor the VulnCheck advisory at https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-adm-cgi-reboot-time and vendor channels for firmware updates.
More in Wdr201A Wifi Extender
View allRemote code execution in WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) allows unauthenticated network attackers
OS command injection in WDR201A WiFi Extender firmware v1.02 allows unauthenticated remote attackers to execute arbitrar
Remote unauthenticated command injection in WDR201A WiFi Extender (HW V2.1, FW ≤1.02) allows attackers to execute arbitr
Remote code execution in WDR201A WiFi Extender (HW V2.1, FW ≤1.02) allows unauthenticated network attackers to execute a
Stack-based buffer overflow in WDR201A WiFi Extender firewall.cgi and makeRequest.cgi binaries enables remote unauthenti
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27124