Vulnerability Description
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the adm.cgi binary's reboot_time function that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the reboot_time POST parameter. Attackers can send a crafted request with shell metacharacters in the reboot_time parameter when reboot_enabled=1 to achieve remote code execution.
Related Weaknesses (CWE)
References
- https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-as
- https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.
- https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-
FAQ
What is CVE-2026-41925?
CVE-2026-41925 is a documented vulnerability. WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the adm.cgi binary's reboot_time function that allows unauthenticated remote attackers to execu...
How severe is CVE-2026-41925?
CVSS scoring is not yet available for CVE-2026-41925. Check NVD for updates.
Is there a patch for CVE-2026-41925?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.