OS Command Injection in WDR201A WiFi Extender from Yeapook
CVE-2026-41923

9.3CRITICAL

Key Information:

Vendor

Shenzhen Yipu Commercial And Trading Co., Ltd

Status
Wdr201a Wifi Extender
Vendor
CVE Published:
4 May 2026

Badges

๐Ÿ‘พ Exploit Exists

What is CVE-2026-41923?

The WDR201A WiFi Extender by Yeapook is susceptible to an OS command injection vulnerability found in the internet.cgi binary. This flaw allows unauthenticated remote attackers to execute arbitrary shell commands by sending specially crafted input to the gateway's POST parameter. Exploiting this vulnerability takes advantage of unsanitized parameter concatenation within the set_add_routing function. As a result, attackers can inject shell commands that are executed through the popen() function, with some output reflected back in the HTTP response, posing significant risks to the device and the network it is connected to.

Affected Version(s)

WDR201A WiFi Extender 0 <= 1.02

References

https://mstreet97.github.io/security-research/iot/vulnera...
technical-descriptionexploit
https://www.made-in-china.com/showroom/yeapook/#:~:text=E...
product
https://www.vulncheck.com/advisories/wdr201a-wifi-extende...
third-party-advisory

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Matteo Strada
Daniele Berardinelli
.