External risk intelligence

WDR201A WiFi Extender allows attackers to control your network from anywhere.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-41923

The WDR201A WiFi Extender contains a security flaw that allows an external attacker to remotely take complete control of the device without a password. This exposes the business to credential theft, interception of network traffic, and unauthorized access to internal systems.

3Halo Surface Signal

OS Command Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-41923

The WDR201A is a network gateway device featuring a web-based management interface. While this interface supports remote administration, it is primarily intended for local management. Internet reachability occurs in some deployments where administrators enable external access, but public exposure is not the standard or default state for this class of device.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability exists in the WDR201A WiFi Extender that allows attackers to run unauthorized commands. This happens because the device improperly handles input, enabling remote execution of code on the device itself.

  • Attackers can gain control.
  • The vulnerability is easy to exploit.
  • Affects network devices.

Attack Path

How an attacker could exploit the issue

Unauthenticated attackers can exploit a command injection flaw in the WDR201A WiFi Extender. By sending specially crafted POST requests to the `internet.cgi` binary, they can inject arbitrary shell commands via the `gateway` parameter. This allows them to execute commands on the device, potentially leading to full compromise.

  • Unauthenticated remote access needed.
  • Targets `internet.cgi` via POST.
  • Injects commands into `gateway` parameter.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in the WDR201A WiFi Extender allows unauthenticated remote attackers to execute arbitrary shell commands. The exploit involves injecting malicious input into the `gateway` POST parameter of the `internet.cgi` binary. While the vulnerability is critical and exploitable remotely without authentication, the threat picture is uncertain due to the device's typical deployment as a local network extender.

  • Exploitation requires targeted access to the device.
  • No public exploit code is readily available.
  • The device is not commonly exposed to the internet.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize identifying and blocking any traffic attempting to exploit the OS command injection vulnerability in the `internet.cgi` binary of the WDR201A WiFi Extender. Given its critical severity and unauthenticated remote exploitability, immediately determine if any of these devices are accessible from the internet and assess the business impact of potential compromise. If found exposed, isolate affected devices until a patch or mitigation is available.

  • Block network access to `internet.cgi`.
  • Monitor logs for `popen()` execution attempts.
  • Investigate available firmware updates or vendor patches.

Frequently asked questions

What is the WDR201A WiFi Extender and which version is affected by a critical vulnerability?

The WDR201A WiFi Extender, specifically hardware version V2.1 with firmware LFMZX28040922V1.02, is affected by an OS command injection vulnerability. This vulnerability allows unauthenticated remote attackers to execute arbitrary shell commands.

How does the OS command injection vulnerability in the WDR201A WiFi Extender work?

The vulnerability lies within the `internet.cgi` binary. Attackers can exploit unsanitized parameter concatenation in the `set_add_routing` function by injecting malicious input into the `gateway` POST parameter. This allows for the execution of arbitrary shell commands via `popen()`.

What is the trigger path and scope negation for the WDR201A WiFi Extender vulnerability?

The trigger path involves sending specially crafted POST requests to the `internet.cgi` binary, specifically targeting the `gateway` parameter with malicious input. The vulnerability allows for arbitrary command execution, potentially leading to a full compromise of the device.

What is the relevance of the WDR201A WiFi Extender vulnerability, considering its typical deployment?

While the WDR201A WiFi Extender is a network gateway device, its web interface is primarily for local management. Although remote administration is supported and some deployments may enable external access, public exposure is not the default state, making the direct threat picture uncertain despite the critical nature of the vulnerability.

What practical steps should be taken to respond to the WDR201A WiFi Extender vulnerability?

It is recommended to identify and block any network traffic attempting to exploit the OS command injection vulnerability in the `internet.cgi` binary. Assess if these devices are accessible from the internet and isolate any exposed devices. Monitoring logs for `popen()` execution attempts and investigating available firmware updates or vendor patches are also advised.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified