PatchSiren cyber security CVE debrief
CVE-2026-41922 Shenzhen Yipu Commercial and Trading Co., Ltd CVE debrief
A critical OS command injection vulnerability affects the WDR201A WiFi Extender (Hardware Version 2.1, Firmware LFMZX28040922V1.02). The vulnerability resides in the wireless.cgi binary, specifically within the set_wifi_basic and set_wifi_do_wps functions. Unauthenticated remote attackers can inject arbitrary shell commands through the sz11gChannel or PIN POST parameters due to unsanitized input handling, resulting in remote code execution without authentication. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no required privileges, and high impact to confidentiality, integrity, and availability. The CVE was published on May 4, 2026, and last modified on May 26, 2026. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog. Vendor identification remains uncertain with low confidence, with reference domain analysis suggesting potential association with a manufacturer listed on Made In China.
- Vendor
- Shenzhen Yipu Commercial and Trading Co., Ltd
- Product
- WDR201A WiFi Extender
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-04
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-04
- Advisory updated
- 2026-05-26
Who should care
Organizations deploying WDR201A WiFi Extenders in production environments, particularly those with devices exposed to guest networks or internet-facing management interfaces. Security teams responsible for IoT device inventory and vulnerability management. Network administrators managing wireless infrastructure with consumer-grade extenders.
Technical summary
The WDR201A WiFi Extender firmware contains an OS command injection vulnerability in the wireless.cgi binary. The set_wifi_basic and set_wifi_do_wps functions fail to sanitize user-supplied input passed via the sz11gChannel and PIN POST parameters. Attackers can inject shell metacharacters and commands that execute with the privileges of the web server process. No authentication is required to reach the vulnerable endpoint. The vulnerability allows complete device compromise including modification of network configuration, interception of traffic, and use as a network pivot point.
Defensive priority
critical
Recommended defensive actions
- Immediately isolate affected WDR201A WiFi Extender devices from untrusted networks or internet exposure
- Apply network segmentation to restrict access to device management interfaces
- Monitor for suspicious POST requests to wireless.cgi containing shell metacharacters in sz11gChannel or PIN parameters
- Contact device supplier or manufacturer for firmware update availability given uncertain vendor identification
- Consider replacement with supported alternative if patch availability cannot be confirmed
- Review device logs for historical exploitation indicators including unexpected command execution or configuration changes
Evidence notes
Vulnerability confirmed through source code analysis of firmware binary. CVSS 4.0 scoring applied. CWE-78 (OS Command Injection) classified as weakness type. Disclosure references include technical writeup, vendor marketplace reference, and VulnCheck advisory.
Official resources
The vulnerability was disclosed through coordinated disclosure via VulnCheck, with technical analysis published by security researcher mstreet97. The disclosure includes detailed vulnerability analysis but does not indicate active in-the-wi