CVE-2025-34149
published 2025-08-07CVE-2025-34149: A command injection vulnerability affects the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) during WPA2 configuration. The 'key' parameter is…
PriorityP263critical9.4CVSS 4.0
AVAACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
1.46%
70.3th percentile
A command injection vulnerability affects the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) during WPA2 configuration. The 'key' parameter is interpreted directly by the system shell, enabling attackers to execute arbitrary commands as root. Exploitation requires no authentication and can be triggered during wireless setup.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| shenzhen_aitemi_e_commerce_co_ltd | m300_wi-fi_repeater | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Shenzhen Aitemi protocol.csp multiple Parameters Command Injection Attempt (CVE-2025-34147, CVE-2025-34148, CVE-2025-34149, CVE-2025-34150, CVE-2025-34151)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:17; content:"/protocol.csp|3f|"; http.request_body; content:"fname|3d|net"; fast_pattern; pcre:"/(?:extap2g|ssid|key|user|passwd)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:cve,2025-34148; reference:cve,2025-34150; reference:cve,2025-34147; reference:url,chocapikk.com/posts/2025/when-a-wifi-name-gives-you-root-part-two/; reference:cve,2025-34149; reference:cve,2025-34151; classtype:attempted-admin; sid:2064879; rev:1; metadata:affected_product Shenzhen_Atemi, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_09_23, cve CVE_2025_34148_CVE_2025_34150_CVE_2025_34147_CVE_2025_34151_CVE_2025_34149, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_09_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Look for HTTP POST requests to the exact URI path '/protocol.csp?' (URL-encoded as '/protocol.csp|3f|') with a body containing 'fname=net'. The URI has a fixed byte size of 17.
- →Detect command injection shell metacharacters (semicolon, newline, backtick, pipe, dollar sign — both raw and URL-encoded) in the 'key', 'ssid', 'extap2g', 'user', or 'passwd' POST body parameters targeting /protocol.csp.
- →The 'key' parameter in WPA2 configuration is passed directly to the system shell, allowing unauthenticated root command execution. Flag any request to /protocol.csp where the 'key' parameter contains shell metacharacters. ↗
- →Exploit traffic is plaintext (not TLS). Deploy detection at both perimeter and internal network boundaries.
- ·The Snort/Suricata rule (sid:2064879) covers five related CVEs (CVE-2025-34147 through CVE-2025-34151) across multiple vulnerable parameters (extap2g, ssid, key, user, passwd), not only the 'key' parameter specific to CVE-2025-34149. Tune or layer rules if per-CVE fidelity is required.
- ·The URI match uses a strict byte-size constraint (bsize:17) matching '/protocol.csp?'. Ensure your HTTP inspection engine supports the 'bsize' keyword; otherwise the URI content match alone may produce false positives.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Shenzhen Aitemi protocol.csp multiple Parameters Command Injection Attempt (CVE-2025-34147, CVE-2025-34148, CVE-2025-34149, CVE-2025-34150, CVE-2025-34151)
suricata·2025-09-23·CVSS 9.4
CVE-2025-34148 [CRITICAL] ET WEB_SPECIFIC_APPS Shenzhen Aitemi protocol.csp multiple Parameters Command Injection Attempt (CVE-2025-34147, CVE-2025-34148, CVE-2025-34149, CVE-2025-34150, CVE-2025-34151)
ET WEB_SPECIFIC_APPS Shenzhen Aitemi protocol.csp multiple Parameters Command Injection Attempt (CVE-2025-34147, CVE-2025-34148, CVE-2025-34149, CVE-2025-34150, CVE-2025-34151)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Shenzhen Aitemi protocol.csp multiple Parameters Command Injection Attempt (CVE-2025-34147, CVE-2025-34148, CVE-2025-34149, CVE-2025-34150, CVE-2025-34151)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:17; content:"/protocol.csp|3f|"; http.request_body; content:"fname|3d|net"; fast_pattern; pcre:"/(?:extap2g|ssid|key|user|passwd)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:cve,2025-34148; reference:cve,2025-34150; reference:cve,2025-34147; reference:url,chocap
No public exploits indexed.
No writeups or analysis indexed.
2025-08-07
Published