CVE-2026-41925
WDR201A WiFi Extender OS Command Injection via adm.cgi (reboot_time)
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the adm.cgi binary's reboot_time function that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the reboot_time POST parameter. Attackers can send a crafted request with shell metacharacters in the reboot_time parameter when reboot_enabled=1 to achieve remote code execution.
| CWE | CWE-78 |
| Vendor | shenzhen yipu commercial and trading co., ltd |
| Product | wdr201a wifi extender |
| Published | May 4, 2026 |
| Last Updated | May 4, 2026 |
Stay Ahead of the Next One
Get instant alerts for shenzhen yipu commercial and trading co., ltd wdr201a wifi extender
Be the first to know when new unknown vulnerabilities affecting shenzhen yipu commercial and trading co., ltd wdr201a wifi extender are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Shenzhen Yipu Commercial and Trading Co., Ltd / WDR201A WiFi Extender
0 โค 1.02
References
mstreet97.github.io: https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.html made-in-china.com: https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China vulncheck.com: https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-adm-cgi-reboot-time
Credits
Matteo Strada