OS Command Injection Vulnerability in WDR201A WiFi Extender by Yeapook
CVE-2026-41925

9.3CRITICAL

Key Information:

Vendor

Shenzhen Yipu Commercial And Trading Co., Ltd

Status
Wdr201a Wifi Extender
Vendor
CVE Published:
4 May 2026

Badges

๐Ÿ‘พ Exploit Exists

What is CVE-2026-41925?

The WDR201A WiFi Extender has been identified to contain a vulnerability associated with OS command injection within the adm.cgi binary's reboot_time function. This flaw permits unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious data into the reboot_time POST parameter, specifically when reboot_enabled=1. By crafting a specific request that includes shell metacharacters, an attacker could potentially perform remote code execution, compromising the security of the device.

Affected Version(s)

WDR201A WiFi Extender 0 <= 1.02

References

https://mstreet97.github.io/security-research/iot/vulnera...
technical-descriptionexploit
https://www.made-in-china.com/showroom/yeapook/#:~:text=E...
product
https://www.vulncheck.com/advisories/wdr201a-wifi-extende...
third-party-advisory

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Matteo Strada
.