CVE Catalog

CVE-2026-41922

Critical
Published: Translated: NVD NIST

Summary

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the wireless.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the sz11gChannel or PIN POST parameters. Attackers can exploit unsanitized parameter handling in the set_wifi_basic and set_wifi_do_wps functions to achieve remote code execution without authentication.

Risk Assessment

This vulnerability poses a serious risk to organizations, allowing attackers to remotely execute code, which could lead to device takeover and access to the local network.

Recommendation

It is recommended to update the device firmware to the latest version that fixes this vulnerability and to implement appropriate security measures to restrict access to the device to authorized users.

Original NVD description (English source)

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the wireless.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the sz11gChannel or PIN POST parameters. Attackers can exploit unsanitized parameter handling in the set_wifi_basic and set_wifi_do_wps functions to achieve remote code execution without authentication.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS