CVE-2025-34148
published 2025-08-07CVE-2025-34148: An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). When configuring the device in…
PriorityP263critical9.4CVSS 4.0
AVAACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
1.32%
67.3th percentile
An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). When configuring the device in WISP mode, the 'ssid' parameter is passed unsanitized to system-level scripts. This allows remote attackers within Wi-Fi range to inject arbitrary shell commands that execute as root, resulting in full device compromise.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| shenzhen_aitemi_e_commerce_co_ltd | m300_wi-fi_repeater | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandfname=net
otherssid parameter with shell metacharacters (;, \n, `, |, $)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Shenzhen Aitemi protocol.csp multiple Parameters Command Injection Attempt (CVE-2025-34147, CVE-2025-34148, CVE-2025-34149, CVE-2025-34150, CVE-2025-34151)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:17; content:"/protocol.csp|3f|"; http.request_body; content:"fname|3d|net"; fast_pattern; pcre:"/(?:extap2g|ssid|key|user|passwd)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:cve,2025-34148; reference:cve,2025-34150; reference:cve,2025-34147; reference:url,chocapikk.com/posts/2025/when-a-wifi-name-gives-you-root-part-two/; reference:cve,2025-34149; reference:cve,2025-34151; classtype:attempted-admin; sid:2064879; rev:1;)
- →Target POST requests to /protocol.csp (URI length exactly 17 bytes including query delimiter) with a body containing fname=net; inspect the ssid (and related) parameters for shell metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), dollar sign ($/%24).
- →The vulnerable parameters are: extap2g, ssid, key, user, passwd — all passed unsanitized to system-level scripts and executing as root. Monitor any of these parameters for injection payloads.
- →The vulnerability is exploitable by unauthenticated attackers within Wi-Fi range; no session token or credentials are required. Alert on any unauthenticated POST to /protocol.csp from unexpected sources.
- →Traffic is plaintext (no TLS); deploy detection at the network perimeter and internally. Snort/Suricata SID 2064879 (ET, rev:1, created 2025-09-23) covers this CVE.
- →Reference blog post for additional exploitation detail: chocapikk.com/posts/2025/when-a-wifi-name-gives-you-root-part-two/
- ·The Snort rule URI match uses bsize:17 (exact byte-length match on the URI). Ensure your sensor/IDS supports the bsize keyword; without it the URI content match may produce false negatives or false positives.
- ·The PCRE covers URL-encoded variants of shell metacharacters (%3B, %0A, %60, %7C, %24) as well as raw forms. Ensure your HTTP inspection engine decodes the request body before matching, or the raw-encoded variants must be matched separately.
- ·The rule covers five related CVEs (CVE-2025-34147 through CVE-2025-34151) across multiple parameters; tuning may be needed if only CVE-2025-34148 (ssid parameter) alerting is desired to reduce scope.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Shenzhen Aitemi protocol.csp multiple Parameters Command Injection Attempt (CVE-2025-34147, CVE-2025-34148, CVE-2025-34149, CVE-2025-34150, CVE-2025-34151)
suricata·2025-09-23·CVSS 9.4
CVE-2025-34148 [CRITICAL] ET WEB_SPECIFIC_APPS Shenzhen Aitemi protocol.csp multiple Parameters Command Injection Attempt (CVE-2025-34147, CVE-2025-34148, CVE-2025-34149, CVE-2025-34150, CVE-2025-34151)
ET WEB_SPECIFIC_APPS Shenzhen Aitemi protocol.csp multiple Parameters Command Injection Attempt (CVE-2025-34147, CVE-2025-34148, CVE-2025-34149, CVE-2025-34150, CVE-2025-34151)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Shenzhen Aitemi protocol.csp multiple Parameters Command Injection Attempt (CVE-2025-34147, CVE-2025-34148, CVE-2025-34149, CVE-2025-34150, CVE-2025-34151)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:17; content:"/protocol.csp|3f|"; http.request_body; content:"fname|3d|net"; fast_pattern; pcre:"/(?:extap2g|ssid|key|user|passwd)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:cve,2025-34148; reference:cve,2025-34150; reference:cve,2025-34147; reference:url,chocap
No public exploits indexed.
No writeups or analysis indexed.
2025-08-07
Published