Cyber Resilience

CVE-2026-30703

CriticalRCE

Published: 18 March 2026

Published
18 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0105 59.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-30703 is a critical-severity OS Command Injection (CWE-78) vulnerability in Github (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-30703 is a command injection vulnerability (CWE-78) in the web management interface of the WiFi Extender WDR201A, specifically hardware version 2.1 running firmware LFMZX28040922V1.02. The issue resides in the adm.cgi endpoint, which fails to properly sanitize user-supplied input passed to a command-related parameter within the sysCMD functionality. This flaw has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for remote exploitation with high impacts on confidentiality, integrity, and availability.

An unauthenticated attacker with network access to the device can exploit this vulnerability by sending crafted requests to the adm.cgi endpoint, injecting arbitrary operating system commands. Successful exploitation grants remote code execution (RCE) on the underlying system, allowing full control over the WiFi extender, including data exfiltration, modification of network configurations, or further lateral movement within the local network.

Advisories, including a detailed disclosure on a security researcher's site, describe this as one of multiple CVEs identified through blackbox-to-whitebox analysis of the consumer WiFi extender. The device is produced by a Shenzhen-based manufacturer, but no patches, vendor fixes, or official mitigation guidance are referenced in available sources. Security practitioners should isolate affected devices, restrict web interface exposure, and monitor for anomalous traffic until firmware updates are confirmed available.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A command injection vulnerability exists in the web management interface of the WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02). The adm.cgi endpoint improperly sanitizes user-supplied input provided to a command-related parameter in the sysCMD functionality.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated command injection in web management interface enables exploitation of public-facing application (T1190) for remote Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25115Shared CWE-78
CVE-2025-24382Shared CWE-78
CVE-2026-29058Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2024-46484Shared CWE-78
CVE-2015-10145Shared CWE-78
CVE-2020-37002Shared CWE-78
CVE-2026-27848Shared CWE-78
CVE-2025-0356Shared CWE-78
CVE-2025-13942Shared CWE-78

Affected Assets

Github
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation and sanitization of user-supplied inputs, directly preventing the command injection vulnerability in the adm.cgi sysCMD parameter.

prevent

AC-14 limits permitted actions without identification or authentication, blocking unauthenticated access to the vulnerable adm.cgi endpoint.

prevent

SC-7 enforces boundary protection to restrict network access to the web management interface, mitigating remote exploitation of the unauthenticated command injection.

References