CVE-2026-41926: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Shenzhen Yipu Commercial and Trading Co., Ltd WDR201A WiFi Extender
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the firewall.cgi binary across five request handlers that apply insufficient input validation. Attackers can inject arbitrary shell commands through vulnerable parameters like websURLFilter, websHostFilter, portForward, singlePortForward, and ipportFilter using subshell syntax or unfiltered parameters, with payloads persisting in NVRAM and re-executing on every subsequent firewall.cgi request.
AI Analysis
Technical Summary
CVE-2026-41926 is an OS command injection vulnerability in the firewall.cgi binary of the WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) by Shenzhen Yipu Commercial and Trading Co., Ltd. The issue arises from insufficient input validation in five request handlers, allowing attackers to inject arbitrary shell commands through parameters like websURLFilter, websHostFilter, portForward, singlePortForward, and ipportFilter. These injected commands persist in NVRAM and execute on every subsequent firewall.cgi invocation. The vulnerability has a CVSS 4.0 score of 9.3, reflecting its critical impact and ease of exploitation without authentication or user interaction.
Potential Impact
Successful exploitation allows unauthenticated remote attackers to execute arbitrary OS commands on the device with high privileges. This can lead to full compromise of the WiFi extender, persistent malicious code execution, and potential network security breaches. The persistence of injected commands in NVRAM increases the risk and impact of the vulnerability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the device's management interface to trusted networks only and monitor for unusual behavior. Avoid exposing the device management interface to untrusted networks. No official vendor remediation or temporary fix has been published as of now.
CVE-2026-41926: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Shenzhen Yipu Commercial and Trading Co., Ltd WDR201A WiFi Extender
Description
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the firewall.cgi binary across five request handlers that apply insufficient input validation. Attackers can inject arbitrary shell commands through vulnerable parameters like websURLFilter, websHostFilter, portForward, singlePortForward, and ipportFilter using subshell syntax or unfiltered parameters, with payloads persisting in NVRAM and re-executing on every subsequent firewall.cgi request.
CVSS v4.0
Score 9.3critical
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-41926 is an OS command injection vulnerability in the firewall.cgi binary of the WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) by Shenzhen Yipu Commercial and Trading Co., Ltd. The issue arises from insufficient input validation in five request handlers, allowing attackers to inject arbitrary shell commands through parameters like websURLFilter, websHostFilter, portForward, singlePortForward, and ipportFilter. These injected commands persist in NVRAM and execute on every subsequent firewall.cgi invocation. The vulnerability has a CVSS 4.0 score of 9.3, reflecting its critical impact and ease of exploitation without authentication or user interaction.
Potential Impact
Successful exploitation allows unauthenticated remote attackers to execute arbitrary OS commands on the device with high privileges. This can lead to full compromise of the WiFi extender, persistent malicious code execution, and potential network security breaches. The persistence of injected commands in NVRAM increases the risk and impact of the vulnerability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the device's management interface to trusted networks only and monitor for unusual behavior. Avoid exposing the device management interface to untrusted networks. No official vendor remediation or temporary fix has been published as of now.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-04-22T18:50:43.620Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f8f1b7cbff5d861042a3a2
Added to database: 5/4/2026, 7:21:27 PM
Last enriched: 5/19/2026, 8:59:38 AM
Last updated: 6/19/2026, 4:28:03 AM
Views: 119
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.