CVE-2026-30702

CVE-2026-30702 is a critical authentication bypass vulnerability (CVSS 3.1 score of 9.8) affecting the WiFi Extender WDR201A device, specifically hardware version 2.1 running firmware LFMZX28040922V1.02. The flaw stems from a broken authentication mechanism in the web management interface, where the login page fails to properly enforce session validation. This allows attackers to bypass authentication entirely by directly accessing restricted web application endpoints via forced browsing techniques, as classified under CWE-285 (Improper Authorization).

The vulnerability is exploitable remotely over the network (AV:N) with low complexity (AC:L), requiring no privileges (PR:N), no user interaction (UI:N), and no scope change (S:U), resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H). Any unauthenticated attacker who can reach the device's web interface—typically on the local network—can exploit it to gain unauthorized administrative access, potentially enabling full device compromise, configuration changes, or further network pivoting.

Advisories reference a security research disclosure detailing this and other CVEs in the device at https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/cybersecurity/cve/2026/02/18/From-Blackbox-to-Whitebox-Multiple-CVEs-in-a-Consumer-WiFi-Extender.html, along with the manufacturer's site at https://www.made-in-china.com/showroom/yeapook/. No specific patches or mitigations are detailed in the provided information.