Vulnerability Description
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the internet.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the gateway POST parameter. Attackers can exploit unsanitized parameter concatenation in the set_add_routing function to inject shell commands that are executed via popen() with partial output reflected in the HTTP response.
Related Weaknesses (CWE)
References
- https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-as
- https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.
- https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-
FAQ
What is CVE-2026-41923?
CVE-2026-41923 is a documented vulnerability. WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the internet.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell...
How severe is CVE-2026-41923?
CVSS scoring is not yet available for CVE-2026-41923. Check NVD for updates.
Is there a patch for CVE-2026-41923?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.