CVE-2026-30701
Published: 18 March 2026
Summary
CVE-2026-30701 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Github (inferred from references). Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Prohibits the use of hard-coded authenticators such as passwords, directly preventing their storage in non-volatile memory and runtime exposure via SSI as in this CVE.
Mandates secure configuration settings for web interfaces and firmware, preventing the embedding of SSI directives that dynamically retrieve and disclose admin credentials.
Enforces approved access authorizations on sensitive web pages like login.shtml and settings.shtml, blocking unauthenticated retrieval of the exposed admin password.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote unauthenticated exploitation of the public-facing web interface via Server Side Includes (SSI) to disclose hardcoded admin credentials, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
The web interface of the WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) contains hardcoded credential disclosure mechanisms (in the form of Server Side Include) within multiple server-side web pages, including login.shtml and settings.shtml. These pages embed server-side execution directives that…
more
dynamically retrieve and expose the web administration password from non-volatile memory at runtime.
Deeper analysisAI
CVE-2026-30701 is a high-severity vulnerability (CVSS 9.1, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) in the web interface of the WiFi Extender WDR201A, specifically hardware version 2.1 running firmware LFMZX28040922V1.02. The flaw stems from hardcoded credential disclosure mechanisms implemented via Server Side Includes (SSI) in multiple server-side web pages, such as login.shtml and settings.shtml. These pages contain embedded server-side execution directives that dynamically retrieve and expose the web administration password stored in non-volatile memory at runtime, classified under CWE-798 (Use of Hard-coded Credentials).
Remote attackers with network access to the device can exploit this vulnerability without authentication, privileges, or user interaction by simply requesting the affected web pages. Successful exploitation allows retrieval of the plaintext web administration password, enabling full unauthorized access to the device's administrative interface. The high confidentiality impact reflects credential exposure, while the high availability impact may relate to potential disruptions from the SSI execution or follow-on administrative access.
Advisories reference a security research disclosure on mstreet97.github.io detailing this and other CVEs in the device, stemming from blackbox analysis of the consumer WiFi extender. A manufacturer page for Yeapook (Shenzhen-based producer established in 2015) is also linked, but no official patches, mitigations, or vendor responses are specified in available references. Security practitioners should isolate affected devices, monitor for unauthorized admin access, and pursue firmware updates if released.
Details
- CWE(s)