EUVD-2026-12872
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
3Description
The web interface of the WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) contains hardcoded credential disclosure mechanisms (in the form of Server Side Include) within multiple server-side web pages, including login.shtml and settings.shtml. These pages embed server-side execution directives that dynamically retrieve and expose the web administration password from non-volatile memory at runtime.
Analysis
A WiFi Extender model WDR201A (hardware version 2.1, firmware LFMZX28040922V1.02) contains hardcoded credential disclosure vulnerabilities in its web administration interface through server-side include (SSI) directives embedded in critical pages such as login.shtml and settings.shtml. These directives dynamically retrieve and expose the web administration password from non-volatile memory during runtime, allowing unauthenticated attackers to obtain administrative credentials and gain full control of the device. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all affected systems and apply vendor patches immediately. Audit authentication configurations and rotate any potentially compromised credentials.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today