Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the firewall.cgi binary across five request handlers that apply insufficient input validation. Attackers can inject arbitrary shell commands through vulnerable parameters like websURLFilter, websHostFilter, portForward, singlePortForward, and ipportFilter using subshell syntax or unfiltered parameters, with payloads persisting in NVRAM and re-executing on every subsequent firewall.cgi request.
AnalysisAI
Remote unauthenticated command injection in WDR201A WiFi Extender (HW V2.1, FW ≤1.02) allows attackers to execute arbitrary OS commands with device privileges via five vulnerable firewall.cgi handlers without authentication. Injected commands persist in NVRAM and automatically re-execute on every subsequent firewall request, creating a self-sustaining backdoor. Public exploit code exists per VulnCheck, making this an immediate weaponization risk for exposed devices. CVSS 9.3 reflects network attack vector with no complexity or authentication barriers (AV:N/AC:L/PR:N), though real-world impact depends on whether management interfaces are internet-exposed.
Technical ContextAI
The vulnerability exists in the firewall.cgi CGI binary within the device's embedded Linux web server. Five request handlers (websURLFilter, websHostFilter, portForward, singlePortForward, ipportFilter) perform shell command execution without proper input sanitization, allowing injection via subshell syntax (backticks, $(), or pipe operators). The affected product uses NVRAM (non-volatile RAM) to store configuration data, and the flaw allows attackers to write malicious payloads into this persistent storage. CWE-78 (OS Command Injection) is a critical vulnerability class where untrusted input is passed to system shell interpreters. The WDR201A is a consumer-grade WiFi range extender manufactured by Shenzhen Yipu Commercial and Trading Co., running proprietary firmware on embedded Linux. CPE cpe:2.3:a:shenzhen_yipu_commercial_and_trading_co.,_ltd:wdr201a_wifi_extender identifies the affected product line.
RemediationAI
No vendor-released patch identified at time of analysis - manufacturer Shenzhen Yipu has not published firmware updates addressing this vulnerability per available advisories. Immediate compensating controls required: (1) Isolate all WDR201A devices to dedicated VLAN with no internet access to management interface, blocking inbound TCP/80 and TCP/443 to device IP from untrusted networks - note this prevents remote management; (2) Disable web-based administration if CLI/physical access alternatives exist, eliminating the vulnerable firewall.cgi attack surface entirely but requiring on-site configuration changes; (3) Deploy network firewall rules restricting access to device management IPs to specific administrator source addresses only - reduces risk but requires maintaining IP whitelist; (4) Replace affected hardware with alternative WiFi extenders from vendors with active security update programs if business-critical deployment cannot tolerate residual risk. Monitor vendor communications at https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-firewall-cgi for future patch releases. Organizations should establish procurement policy excluding IoT vendors without public security contact and update channels.
More in Wdr201A Wifi Extender
View allRemote code execution in WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) allows unauthenticated network attackers
OS command injection in WDR201A WiFi Extender firmware v1.02 allows unauthenticated remote attackers to execute arbitrar
Remote code execution in WDR201A WiFi Extender (HW V2.1, FW ≤1.02) allows unauthenticated attackers to execute arbitrary
Remote code execution in WDR201A WiFi Extender (HW V2.1, FW ≤1.02) allows unauthenticated network attackers to execute a
Stack-based buffer overflow in WDR201A WiFi Extender firewall.cgi and makeRequest.cgi binaries enables remote unauthenti
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27125