cbcvebase.
CVE-2025-34148
published 2025-08-07

CVE-2025-34148: An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). When configuring the device in…

PriorityP263critical9.4CVSS 4.0
AVAACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
1.32%
67.3th percentile
An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). When configuring the device in WISP mode, the 'ssid' parameter is passed unsanitized to system-level scripts. This allows remote attackers within Wi-Fi range to inject arbitrary shell commands that execute as root, resulting in full device compromise.

Affected

1 ranges
VendorProductVersion rangeFixed in
shenzhen_aitemi_e_commerce_co_ltdm300_wi-fi_repeater

Detection & IOCsextracted from sources · hover to see the quote

url/protocol.csp?
path/protocol.csp
commandfname=net
otherssid parameter with shell metacharacters (;, \n, `, |, $)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Shenzhen Aitemi protocol.csp multiple Parameters Command Injection Attempt (CVE-2025-34147, CVE-2025-34148, CVE-2025-34149, CVE-2025-34150, CVE-2025-34151)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:17; content:"/protocol.csp|3f|"; http.request_body; content:"fname|3d|net"; fast_pattern; pcre:"/(?:extap2g|ssid|key|user|passwd)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:cve,2025-34148; reference:cve,2025-34150; reference:cve,2025-34147; reference:url,chocapikk.com/posts/2025/when-a-wifi-name-gives-you-root-part-two/; reference:cve,2025-34149; reference:cve,2025-34151; classtype:attempted-admin; sid:2064879; rev:1;)
  • Target POST requests to /protocol.csp (URI length exactly 17 bytes including query delimiter) with a body containing fname=net; inspect the ssid (and related) parameters for shell metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), dollar sign ($/%24).
  • The vulnerable parameters are: extap2g, ssid, key, user, passwd — all passed unsanitized to system-level scripts and executing as root. Monitor any of these parameters for injection payloads.
  • The vulnerability is exploitable by unauthenticated attackers within Wi-Fi range; no session token or credentials are required. Alert on any unauthenticated POST to /protocol.csp from unexpected sources.
  • Traffic is plaintext (no TLS); deploy detection at the network perimeter and internally. Snort/Suricata SID 2064879 (ET, rev:1, created 2025-09-23) covers this CVE.
  • Reference blog post for additional exploitation detail: chocapikk.com/posts/2025/when-a-wifi-name-gives-you-root-part-two/
  • ·The Snort rule URI match uses bsize:17 (exact byte-length match on the URI). Ensure your sensor/IDS supports the bsize keyword; without it the URI content match may produce false negatives or false positives.
  • ·The PCRE covers URL-encoded variants of shell metacharacters (%3B, %0A, %60, %7C, %24) as well as raw forms. Ensure your HTTP inspection engine decodes the request body before matching, or the raw-encoded variants must be matched separately.
  • ·The rule covers five related CVEs (CVE-2025-34147 through CVE-2025-34151) across multiple parameters; tuning may be needed if only CVE-2025-34148 (ssid parameter) alerting is desired to reduce scope.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.