CVE-2026-30703

CVE-2026-30703 is a command injection vulnerability (CWE-78) in the web management interface of the WiFi Extender WDR201A, specifically hardware version 2.1 running firmware LFMZX28040922V1.02. The issue resides in the adm.cgi endpoint, which fails to properly sanitize user-supplied input passed to a command-related parameter within the sysCMD functionality. This flaw has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for remote exploitation with high impacts on confidentiality, integrity, and availability.

An unauthenticated attacker with network access to the device can exploit this vulnerability by sending crafted requests to the adm.cgi endpoint, injecting arbitrary operating system commands. Successful exploitation grants remote code execution (RCE) on the underlying system, allowing full control over the WiFi extender, including data exfiltration, modification of network configurations, or further lateral movement within the local network.

Advisories, including a detailed disclosure on a security researcher's site, describe this as one of multiple CVEs identified through blackbox-to-whitebox analysis of the consumer WiFi extender. The device is produced by a Shenzhen-based manufacturer, but no patches, vendor fixes, or official mitigation guidance are referenced in available sources. Security practitioners should isolate affected devices, restrict web interface exposure, and monitor for anomalous traffic until firmware updates are confirmed available.