cbcvebase.
CVE-2025-34150
published 2025-08-07

CVE-2025-34150: The PPPoE configuration interface of the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) is vulnerable to command injection via the 'user' parameter…

PriorityP262critical9.4CVSS 4.0
AVAACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
1.39%
68.8th percentile
The PPPoE configuration interface of the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) is vulnerable to command injection via the 'user' parameter. Input is processed unsafely during network setup, allowing attackers to execute arbitrary system commands with root privileges.

Affected

1 ranges
VendorProductVersion rangeFixed in
shenzhen_aitemi_e_commerce_co_ltdm300_wi-fi_repeater

Detection & IOCsextracted from sources · hover to see the quote

url/protocol.csp?
path/protocol.csp
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Shenzhen Aitemi protocol.csp multiple Parameters Command Injection Attempt (CVE-2025-34147, CVE-2025-34148, CVE-2025-34149, CVE-2025-34150, CVE-2025-34151)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:17; content:"/protocol.csp|3f|"; http.request_body; content:"fname|3d|net"; fast_pattern; pcre:"/(?:extap2g|ssid|key|user|passwd)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:cve,2025-34148; reference:cve,2025-34150; reference:cve,2025-34147; reference:url,chocapikk.com/posts/2025/when-a-wifi-name-gives-you-root-part-two/; reference:cve,2025-34149; reference:cve,2025-34151; classtype:attempted-admin; sid:2064879; rev:1;)
  • Target HTTP POST requests to the exact URI /protocol.csp? (URI length is exactly 17 bytes including the '?'). The request body must contain 'fname=net', indicating a network configuration action.
  • Detect command injection characters (semicolon, newline, backtick, pipe, dollar sign — both raw and URL-encoded) in the 'user' parameter (and related parameters: extap2g, ssid, key, passwd) of the POST body. PCRE: /(?:extap2g|ssid|key|user|passwd)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/
  • The vulnerability is exploitable only over plaintext HTTP (not TLS). Deployment focus should be on perimeter and internal network monitoring points.
  • The injection occurs in the PPPoE configuration interface via the 'user' parameter, which is processed unsafely during network setup, resulting in arbitrary command execution with root privileges.
  • ·The Snort/Suricata rule (ET sid:2064879) covers five related CVEs (CVE-2025-34147 through CVE-2025-34151) across multiple injectable parameters (extap2g, ssid, key, user, passwd). CVE-2025-34150 specifically concerns the 'user' parameter; tuning the PCRE to focus on 'user' alone will reduce false positives if only this CVE is in scope.
  • ·The URI bsize constraint is exactly 17 bytes ('/protocol.csp?'), meaning the rule will only match requests where the URI is precisely that length. Any additional path components or query strings appended before the '?' would evade this rule.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.