CVE Catalog

CVE-2026-41925

Critical
Published: Translated: NVD NIST

Summary

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the reboot_time function of the adm.cgi binary. This allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the reboot_time POST parameter.

Risk Assessment

Attackers can exploit this vulnerability for remote code execution, posing a significant threat to the security of the system and the organization's data.

Recommendation

It is recommended to update the device firmware to the latest version that addresses this vulnerability and to implement appropriate security measures to restrict access to the administrative interface.

Original NVD description (English source)

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the adm.cgi binary's reboot_time function that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the reboot_time POST parameter. Attackers can send a crafted request with shell metacharacters in the reboot_time parameter when reboot_enabled=1 to achieve remote code execution.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS