OS Command Injection Vulnerability in WDR201A WiFi Extender from Yeapook
CVE-2026-41924

9.3CRITICAL

Key Information:

Vendor

Shenzhen Yipu Commercial And Trading Co., Ltd

Status
Wdr201a Wifi Extender
Vendor
CVE Published:
4 May 2026

Badges

๐Ÿ‘พ Exploit Exists

What is CVE-2026-41924?

The WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) is affected by an OS command injection vulnerability within the makeRequest.cgi binary. This weakness allows unauthenticated remote attackers to execute arbitrary shell commands by exploiting unsanitized inputs in the set_time or StartSniffer functions. By crafting a POST request with cleverly designed ampersand-delimited parameters, attackers can bypass input validation and execute malicious commands, utilizing a maximum length of 31 bytes, through the date command or other channel parameter processing.

Affected Version(s)

WDR201A WiFi Extender 0 <= 1.02

References

https://mstreet97.github.io/security-research/iot/vulnera...
technical-descriptionexploit
https://www.made-in-china.com/showroom/yeapook/#:~:text=E...
product
https://www.vulncheck.com/advisories/wdr201a-wifi-extende...
third-party-advisory

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Matteo Strada
.