CVE-2026-41922
OS Command Injection in WDR201A WiFi Extender
Publication date: 2026-05-04
Last updated on: 2026-05-04
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the WDR201A WiFi Extender (hardware version 2.1, firmware LFMZX28040922V1.02) within the wireless.cgi binary. It is an OS command injection flaw that allows unauthenticated remote attackers to execute arbitrary shell commands on the device. The issue arises because the device does not properly sanitize input in the sz11gChannel or PIN POST parameters. Attackers exploit this by injecting malicious input into these parameters, specifically targeting the set_wifi_basic and set_wifi_do_wps functions, resulting in remote code execution without needing any authentication.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows attackers to remotely execute arbitrary commands on the affected WiFi extender without any authentication. This could lead to full compromise of the device, enabling attackers to control network traffic, intercept data, disrupt network services, or use the device as a foothold to attack other devices on the network.