CVE-2026-41924 is an OS command injection vulnerability affecting the WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) from Shenzhen Yipu Commercial and Trading Co., Ltd. The vulnerability exists in the makeRequest.cgi binary, specifically within the set_time and StartSniffer functions. It allows unauthenticated remote attackers to inject and execute arbitrary shell commands by sending specially crafted POST requests with ampersand-delimited parameters. The input sanitization can be bypassed, permitting command execution limited to 31 bytes, leveraging parameters such as date or channel. The vulnerability is classified under CWE-78 and has a CVSS 4.0 score of 9.3 (critical). No patch or official remediation level has been disclosed by the vendor.

Successful exploitation of this vulnerability allows unauthenticated remote attackers to execute arbitrary shell commands on the affected device, potentially leading to full compromise of the WiFi extender. This can result in unauthorized control over device functionality, interception or manipulation of network traffic, and use of the device as a foothold for further network attacks. The critical CVSS score reflects the high impact and ease of exploitation without any required privileges or user interaction.

As of the current information, no official patch or remediation has been provided by Shenzhen Yipu Commercial and Trading Co., Ltd. Users and administrators should monitor the vendor's advisories for updates or patches addressing this vulnerability. Until a fix is available, consider isolating the affected device from untrusted networks and restricting access to the device's management interface to trusted users only. Avoid exposing the device to the internet or untrusted networks to reduce the risk of exploitation.