CVE-2025-34147
published 2025-08-04CVE-2025-34147: An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). When configuring the device in…
PriorityP262critical9.4CVSS 4.0
AVAACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
1.11%
61.7th percentile
An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). When configuring the device in Extender mode via its captive portal, the extap2g SSID field is inserted unescaped into a reboot-time shell script. This allows remote attackers within Wi-Fi range to inject arbitrary shell commands that execute as root during device reboot, leading to full system compromise.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| shenzhen_aitemi_e_commerce_co_ltd | m300_wi-fi_repeater | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/protocol.csp
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Shenzhen Aitemi protocol.csp multiple Parameters Command Injection Attempt (CVE-2025-34147, CVE-2025-34148, CVE-2025-34149, CVE-2025-34150, CVE-2025-34151)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:17; content:"/protocol.csp|3f|"; http.request_body; content:"fname|3d|net"; fast_pattern; pcre:"/(?:extap2g|ssid|key|user|passwd)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:cve,2025-34148; reference:cve,2025-34150; reference:cve,2025-34147; reference:url,chocapikk.com/posts/2025/when-a-wifi-name-gives-you-root-part-two/; reference:cve,2025-34149; reference:cve,2025-34151; classtype:attempted-admin; sid:2064879; rev:1; metadata:affected_product Shenzhen_Atemi, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_09_23, cve CVE_2025_34148_CVE_2025_34150_CVE_2025_34147_CVE_2025_34151_CVE_2025_34149, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_09_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit targets HTTP POST requests to /protocol.csp with a URI of exactly 17 bytes, and a request body containing 'fname=net'. Monitor for this combination as the entry point.
- →Injection is delivered via the parameters extap2g, ssid, key, user, or passwd containing shell metacharacters: semicolon (;), newline (\n), backtick (`), pipe (|), or dollar sign ($) — both raw and URL-encoded forms.
- →The injected commands execute as root at device reboot time, as the SSID value is inserted unescaped into a reboot-time shell script. Look for unexpected process spawning or persistence mechanisms post-reboot on affected devices. ↗
- →Attack is unauthenticated and exploitable by any attacker within Wi-Fi range of the device operating in Extender mode via its captive portal — no credentials required. ↗
- →Traffic is plaintext (no TLS). Deploy detection at both perimeter and internal network segments.
- ·The Snort/Suricata rule (ET sid:2064879) covers five related CVEs simultaneously (CVE-2025-34147 through CVE-2025-34151). A match does not isolate which specific CVE is being exploited — triage is required to determine the exact vulnerable parameter.
- ·The URI bsize match is exactly 17 bytes ('/protocol.csp?'). Any URL rewriting, proxy normalization, or path variation may cause the rule to miss the attack.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Shenzhen Aitemi protocol.csp multiple Parameters Command Injection Attempt (CVE-2025-34147, CVE-2025-34148, CVE-2025-34149, CVE-2025-34150, CVE-2025-34151)
suricata·2025-09-23·CVSS 9.4
CVE-2025-34148 [CRITICAL] ET WEB_SPECIFIC_APPS Shenzhen Aitemi protocol.csp multiple Parameters Command Injection Attempt (CVE-2025-34147, CVE-2025-34148, CVE-2025-34149, CVE-2025-34150, CVE-2025-34151)
ET WEB_SPECIFIC_APPS Shenzhen Aitemi protocol.csp multiple Parameters Command Injection Attempt (CVE-2025-34147, CVE-2025-34148, CVE-2025-34149, CVE-2025-34150, CVE-2025-34151)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Shenzhen Aitemi protocol.csp multiple Parameters Command Injection Attempt (CVE-2025-34147, CVE-2025-34148, CVE-2025-34149, CVE-2025-34150, CVE-2025-34151)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:17; content:"/protocol.csp|3f|"; http.request_body; content:"fname|3d|net"; fast_pattern; pcre:"/(?:extap2g|ssid|key|user|passwd)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:cve,2025-34148; reference:cve,2025-34150; reference:cve,2025-34147; reference:url,chocap
No public exploits indexed.
No writeups or analysis indexed.
2025-08-04
Published