Cyber Posture

CVE-2026-30704

Critical

Published: 18 March 2026

Published
18 March 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0006 19.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30704 is a critical-severity Hidden Functionality (CWE-912) vulnerability in Github (inferred from references). Its CVSS base score is 9.1 (Critical).

Operationally, ranked at the 19.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 PE-3 (Physical Access Control) and PE-6 (Monitoring Physical Access).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-41 Port and I/O Device Access good match
prevent

Directly requires monitoring and restricting access to hardware ports, connectors, and I/O devices like the exposed UART pads on the PCB to prevent unauthorized exploitation.

PE-3 Physical Access Control good match
prevent

Enforces physical access controls to the WiFi extender device, preventing attackers from physically reaching the PCB pads to access the unprotected UART interface.

PE-6 Monitoring Physical Access good match
detect

Monitors physical access to the system components to identify unauthorized attempts to probe or connect to the exposed UART hardware pads.

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v18.1

NVD Description

The WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) exposes an unprotected UART interface through accessible hardware pads on the PCB

Deeper analysisAI

CVE-2026-30704 is a high-severity vulnerability (CVSS v3.1 score of 9.1, vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) affecting the WiFi Extender WDR201A, specifically hardware version V2.1 running firmware LFMZX28040922V1.02. The issue stems from the exposure of an unprotected UART interface via accessible hardware pads on the device's printed circuit board (PCB), classified under CWE-912 (Hidden Functionality). This allows unauthorized access to potentially sensitive hardware-level interfaces.

An attacker with the ability to exploit this vulnerability, as indicated by the CVSS metrics, can do so remotely over the network (AV:N) with low attack complexity (AC:L), no required privileges (PR:N), and no user interaction (UI:N). Successful exploitation enables high-impact compromise of confidentiality (C:H) and availability (A:H), such as extracting sensitive data or disrupting device operations through the UART interface, while integrity remains unaffected (I:N) under an unchanged scope (S:U).

Advisories reference a detailed security research disclosure at https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/cybersecurity/cve/2026/02/18/From-Blackbox-to-Whitebox-Multiple-CVEs-in-a-Consumer-WiFi-Extender.html, which covers this and other CVEs in the device, alongside manufacturer information for Yeapook (https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China), a Shenzhen-based producer established in 2015; no specific patches or mitigations are detailed in the provided references.

Details

CWE(s)
CWE-912

Affected Products

Github
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-1952Shared CWE-912
CVE-2025-0626Shared CWE-912
CVE-2026-3587Shared CWE-912
CVE-2026-33280Shared CWE-912
CVE-2025-48418Shared CWE-912
CVE-2025-0675Shared CWE-912
CVE-2024-39754Shared CWE-912
CVE-2026-34769Shared CWE-912
CVE-2024-13062Shared CWE-912
CVE-2026-41446Shared CWE-912

References