CVE-2026-30701
Hardcoded Credential Disclosure in WDR201A WiFi Extender Web Interface
Publication date: 2026-03-18
Last updated on: 2026-03-23
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tp-link | wdr201a | to 1.02 (inc) |
| tp-link | wdr201a | to V1.02 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the web interface of the WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02). It involves hardcoded credential disclosure mechanisms embedded within multiple server-side web pages, such as login.shtml and settings.shtml. These pages use server-side execution directives that dynamically retrieve and expose the web administration password from non-volatile memory at runtime.
How can this vulnerability impact me? :
An attacker who accesses the vulnerable web interface could retrieve the web administration password due to the hardcoded credential disclosure mechanisms. This could lead to unauthorized access to the device's administrative functions, potentially allowing the attacker to change settings, disrupt network operations, or compromise network security.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know