Cyber Resilience

CVE-2026-30704

Critical

Published: 18 March 2026

Published
18 March 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0031 22.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-30704 is a critical-severity Hidden Functionality (CWE-912) vulnerability in Github (inferred from references). Its CVSS base score is 9.1 (Critical).

Operationally, ranked at the 22.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 PE-3 (Physical Access Control) and PE-6 (Monitoring Physical Access).

Deeper analysis

CVE-2026-30704 is a high-severity vulnerability (CVSS v3.1 score of 9.1, vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) affecting the WiFi Extender WDR201A, specifically hardware version V2.1 running firmware LFMZX28040922V1.02. The issue stems from the exposure of an unprotected UART interface via accessible hardware pads on the device's printed circuit board (PCB), classified under CWE-912 (Hidden Functionality). This allows unauthorized access to potentially sensitive hardware-level interfaces.

An attacker with the ability to exploit this vulnerability, as indicated by the CVSS metrics, can do so remotely over the network (AV:N) with low attack complexity (AC:L), no required privileges (PR:N), and no user interaction (UI:N). Successful exploitation enables high-impact compromise of confidentiality (C:H) and availability (A:H), such as extracting sensitive data or disrupting device operations through the UART interface, while integrity remains unaffected (I:N) under an unchanged scope (S:U).

Advisories reference a detailed security research disclosure at https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/cybersecurity/cve/2026/02/18/From-Blackbox-to-Whitebox-Multiple-CVEs-in-a-Consumer-WiFi-Extender.html, which covers this and other CVEs in the device, alongside manufacturer information for Yeapook (https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China), a Shenzhen-based producer established in 2015; no specific patches or mitigations are detailed in the provided references.

EU & UK References

Vulnerability details

The WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) exposes an unprotected UART interface through accessible hardware pads on the PCB

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-39754Shared CWE-912
CVE-2025-0626Shared CWE-912
CVE-2025-48418Shared CWE-912
CVE-2026-3587Shared CWE-912
CVE-2010-20103Shared CWE-912
CVE-2026-1952Shared CWE-912
CVE-2026-7413Shared CWE-912
CVE-2026-33280Shared CWE-912
CVE-2025-0675Shared CWE-912
CVE-2011-10018Shared CWE-912

Affected Assets

Github
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires monitoring and restricting access to hardware ports, connectors, and I/O devices like the exposed UART pads on the PCB to prevent unauthorized exploitation.

prevent

Enforces physical access controls to the WiFi extender device, preventing attackers from physically reaching the PCB pads to access the unprotected UART interface.

detect

Monitors physical access to the system components to identify unauthorized attempts to probe or connect to the exposed UART hardware pads.

References