cbcvebase.
CVE-2025-34151
published 2025-08-07

CVE-2025-34151: A command injection vulnerability exists in the 'passwd' parameter of the PPPoE setup process on the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02)…

PriorityP260critical9.4CVSS 4.0
AVAACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
3.83%
88.8th percentile
A command injection vulnerability exists in the 'passwd' parameter of the PPPoE setup process on the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). The input is passed directly to system-level commands without sanitation, enabling unauthenticated attackers to achieve root-level code execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
shenzhen_aitemi_e_commerce_co_ltdm300_wi-fi_repeater

Detection & IOCsextracted from sources · hover to see the quote

url/protocol.csp?
path/protocol.csp
commandfname=net
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Shenzhen Aitemi protocol.csp multiple Parameters Command Injection Attempt (CVE-2025-34147, CVE-2025-34148, CVE-2025-34149, CVE-2025-34150, CVE-2025-34151)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:17; content:"/protocol.csp|3f|"; http.request_body; content:"fname|3d|net"; fast_pattern; pcre:"/(?:extap2g|ssid|key|user|passwd)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:cve,2025-34148; reference:cve,2025-34150; reference:cve,2025-34147; reference:url,chocapikk.com/posts/2025/when-a-wifi-name-gives-you-root-part-two/; reference:cve,2025-34149; reference:cve,2025-34151; classtype:attempted-admin; sid:2064879; rev:1;)
  • Target HTTP POST requests to /protocol.csp with a body containing 'fname=net'; inspect the 'passwd' parameter (and related: extap2g, ssid, key, user) for unsanitized shell metacharacters indicating command injection: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), dollar sign ($/%24).
  • The URI path /protocol.csp has a fixed byte size of 17 characters (including the '?' delimiter); use a bsize:17 constraint to reduce false positives when matching the URI.
  • The vulnerability is exploitable by unauthenticated attackers; no session/auth token is required, so absence of authentication headers should not be used to filter out suspicious requests.
  • The injection point is the 'passwd' parameter in the PPPoE setup flow; prioritize alerting on payloads where 'passwd=' contains shell metacharacters.
  • Traffic is expected in plaintext (no TLS); deploy detection at the network perimeter and internally.
  • ·The Snort/Suricata rule (sid:2064879) covers five related CVEs (CVE-2025-34147 through CVE-2025-34151) across multiple parameters (extap2g, ssid, key, user, passwd); tuning may be needed to isolate alerts specific to CVE-2025-34151 (passwd/PPPoE) versus the other injection points.
  • ·The affected device is specifically the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02); scope detection to this device type to avoid noise on unrelated networking equipment.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.