CVE-2026-41923 is an OS command injection vulnerability (CWE-78) affecting the WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) by Shenzhen Yipu Commercial and Trading Co., Ltd. The vulnerability exists in the internet.cgi binary, specifically in the set_add_routing function, which improperly concatenates user-supplied input from the gateway POST parameter without adequate sanitization. This allows unauthenticated remote attackers to inject arbitrary shell commands executed via popen(), with partial command output reflected in HTTP responses. The vulnerability has a CVSS 4.0 score of 9.3 (critical), with no vendor-provided patch or remediation level indicated. The device is not a cloud service, and no known exploits have been reported.

Successful exploitation allows unauthenticated remote attackers to execute arbitrary shell commands on the affected device, potentially leading to full compromise of the WiFi extender. This could enable attackers to manipulate device configuration, intercept or redirect network traffic, or use the device as a foothold within the network. The reflected partial output in HTTP responses may aid attackers in crafting and verifying exploits. The critical CVSS score reflects the high impact and ease of exploitation without authentication.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, network administrators should consider isolating or disabling vulnerable devices to prevent remote exploitation. Monitoring network traffic for unusual HTTP POST requests targeting the internet.cgi endpoint may help detect exploitation attempts. Avoid exposing the device management interface to untrusted networks.