Skip to main content

WDR201A WiFi Extender EUVDEUVD-2026-27125

| CVE-2026-41926 CRITICAL
OS Command Injection (CWE-78)
2026-05-04 VulnCheck
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 04, 2026 - 22:16 vuln.today
CVSS changed
May 04, 2026 - 20:22 NVD
9.3 (CRITICAL)

DescriptionCVE.org

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the firewall.cgi binary across five request handlers that apply insufficient input validation. Attackers can inject arbitrary shell commands through vulnerable parameters like websURLFilter, websHostFilter, portForward, singlePortForward, and ipportFilter using subshell syntax or unfiltered parameters, with payloads persisting in NVRAM and re-executing on every subsequent firewall.cgi request.

AnalysisAI

Remote unauthenticated command injection in WDR201A WiFi Extender (HW V2.1, FW ≤1.02) allows attackers to execute arbitrary OS commands with device privileges via five vulnerable firewall.cgi handlers without authentication. Injected commands persist in NVRAM and automatically re-execute on every subsequent firewall request, creating a self-sustaining backdoor. Public exploit code exists per VulnCheck, making this an immediate weaponization risk for exposed devices. CVSS 9.3 reflects network attack vector with no complexity or authentication barriers (AV:N/AC:L/PR:N), though real-world impact depends on whether management interfaces are internet-exposed.

Technical ContextAI

The vulnerability exists in the firewall.cgi CGI binary within the device's embedded Linux web server. Five request handlers (websURLFilter, websHostFilter, portForward, singlePortForward, ipportFilter) perform shell command execution without proper input sanitization, allowing injection via subshell syntax (backticks, $(), or pipe operators). The affected product uses NVRAM (non-volatile RAM) to store configuration data, and the flaw allows attackers to write malicious payloads into this persistent storage. CWE-78 (OS Command Injection) is a critical vulnerability class where untrusted input is passed to system shell interpreters. The WDR201A is a consumer-grade WiFi range extender manufactured by Shenzhen Yipu Commercial and Trading Co., running proprietary firmware on embedded Linux. CPE cpe:2.3:a:shenzhen_yipu_commercial_and_trading_co.,_ltd:wdr201a_wifi_extender identifies the affected product line.

RemediationAI

No vendor-released patch identified at time of analysis - manufacturer Shenzhen Yipu has not published firmware updates addressing this vulnerability per available advisories. Immediate compensating controls required: (1) Isolate all WDR201A devices to dedicated VLAN with no internet access to management interface, blocking inbound TCP/80 and TCP/443 to device IP from untrusted networks - note this prevents remote management; (2) Disable web-based administration if CLI/physical access alternatives exist, eliminating the vulnerable firewall.cgi attack surface entirely but requiring on-site configuration changes; (3) Deploy network firewall rules restricting access to device management IPs to specific administrator source addresses only - reduces risk but requires maintaining IP whitelist; (4) Replace affected hardware with alternative WiFi extenders from vendors with active security update programs if business-critical deployment cannot tolerate residual risk. Monitor vendor communications at https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-firewall-cgi for future patch releases. Organizations should establish procurement policy excluding IoT vendors without public security contact and update channels.

Share

EUVD-2026-27125 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy