External risk intelligence

WDR201A WiFi extender allows attackers to run any command remotely, potentially taking control of your network.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-41924

An external attacker can remotely take control of the WDR201A WiFi Extender by tricking it into running unauthorized commands. This could allow them to intercept sensitive network traffic or use the device as a launchpad to access the rest of your internal company network.

2Halo Surface Signal

OS Command Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-41924

The vulnerability affects the web management interface of a consumer-grade WiFi extender. These devices are typically deployed within internal, private network environments behind a router or firewall. While they are network-reachable, they are not designed to be public-facing, making direct exposure to the internet uncommon in standard deployments.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability allows unauthenticated attackers to run commands on a WiFi extender remotely. This could let them take control of the device and potentially disrupt network services.

  • Attackers can execute commands remotely.
  • It impacts the device's core functionality.
  • Access can be achieved without authentication.

Attack Path

How an attacker could exploit the issue

An unauthenticated remote attacker can exploit this vulnerability by sending a crafted POST request to the WDR201A WiFi Extender's `makeRequest.cgi` binary. By injecting malicious characters into the `set_time` or `StartSniffer` functions, the attacker can bypass input sanitization and execute arbitrary shell commands with limited length. This allows for remote code execution on the vulnerable device.

  • Attackers need network access.
  • Vulnerable surface is `makeRequest.cgi`.
  • Input sanitization bypass is key.

Live Threat

Current exploitation, exposure, and threat context

This OS command injection vulnerability in a WiFi extender allows unauthenticated remote attackers to execute arbitrary shell commands. While the technical exploitability is high due to unauthenticated network access and critical impact, attackers may find it less appealing for widespread exploitation due to the niche nature of the target device and its typical deployment within private networks.

  • Exploit code is publicly available.
  • Device is unlikely to be internet-facing.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize investigating and containing the WDR201A WiFi Extender (FW LFMZX28040922V1.02) due to its critical OS command injection vulnerability, which allows unauthenticated remote command execution. Since this vulnerability is actively exploited and has a public exploit, consider taking affected services offline or isolating them immediately.

  • Identify and isolate affected extenders.
  • Monitor network traffic for suspicious POST requests.
  • If isolation is not possible, restrict access to the extender's management interface.

Frequently asked questions

What is the WDR201A WiFi Extender and its role in a network?

The WDR201A WiFi Extender is a hardware device (HW V2.1, FW LFMZX28040922V1.02) designed to enhance and expand wireless network coverage. Its primary function is to strengthen Wi-Fi signals in areas where the main router's signal is weak, thereby improving connectivity throughout a space.

What is CVE-2026-41924 and its classification?

CVE-2026-41924 is a critical vulnerability found in the WDR201A WiFi Extender's `makeRequest.cgi` binary. This weakness is classified as OS command injection, allowing attackers to execute unintended commands on the device.

How can an attacker trigger CVE-2026-41924 on the WDR201A WiFi Extender?

An unauthenticated remote attacker can exploit this by sending a specially crafted POST request to the `makeRequest.cgi` binary. Malicious input injected into the `set_time` or `StartSniffer` functions bypasses input sanitization, enabling the execution of arbitrary shell commands.

What is the significance of CVE-2026-41924 affecting the WDR201A WiFi Extender?

This vulnerability holds significant relevance as it permits unauthenticated remote attackers to execute arbitrary shell commands on the WDR201A WiFi Extender. This could lead to the compromise of the device and potential disruption of network services, impacting devices connected to the extender. The Halo Surface Signal indicates this is an unlikely threat due to the typical deployment of such devices within private networks, not directly exposed to the internet.

What steps should be taken to address the WDR201A WiFi Extender vulnerability?

Given the critical nature of the OS command injection vulnerability in the WDR201A WiFi Extender (FW LFMZX28040922V1.02), it is recommended to identify and isolate affected devices immediately. Monitoring network traffic for suspicious POST requests targeting the extender's management interface is crucial. If isolation is not feasible, restricting access to the extender's management interface should be implemented to mitigate risk.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified