Which versions of WDR201A WiFi Extender are affected by EUVD-2026-27121?

CVE-2026-41924 is a critical remote code execution vulnerability affecting TP-Link WDR201A WiFi extenders (firmware ≤1.02) that allows unauthenticated attackers to execute arbitrary commands on the…

Is there a public PoC exploit available for EUVD-2026-27121?

Yes, a public proof-of-concept exploit is available for EUVD-2026-27121. Prioritise patching immediately. EPSS: 0.2%.

WDR201A WiFi Extender EUVD-2026-27121

Q: What is the CVSS score of EUVD-2026-27121?

EUVD-2026-27121 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.2%.

| CVE-2026-41924 CRITICAL

OS Command Injection (CWE-78)

2026-05-04 VulnCheck

Command Injection

9.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

May 04, 2026 - 22:15 vuln.today

CVSS changed

May 04, 2026 - 20:22 NVD

9.3 (CRITICAL)

DescriptionNVD

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the makeRequest.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the set_time or StartSniffer functions. Attackers can craft a POST request with specially crafted ampersand-delimited parameters to bypass input sanitization and execute commands with a maximum length of 31 bytes through the date command or channel parameter processing.

AnalysisAI

Remote code execution in WDR201A WiFi Extender (HW V2.1, FW ≤1.02) allows unauthenticated network attackers to execute arbitrary OS commands via the makeRequest.cgi binary. Exploitation requires no user interaction and has CVSS:4.0 score of 9.3. …

RemediationAI

Within 24 hours: Inventory all WDR201A devices (HW V2.1, FW ≤1.02) and document network exposure; disconnect any internet-facing units or isolate to trusted networks only. Within 7 days: Contact TP-Link support to confirm patch availability timeline and obtain firmware version 1.03 or later if released; evaluate replacement with patched alternative models for critical network access points. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-27121 vulnerability details – vuln.today

Back

WDR201A WiFi Extender EUVD-2026-27121

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

WDR201A WiFi Extender EUVD-2026-27121

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code