CVE-2025-34152
published 2025-08-07CVE-2025-34152: An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) via the 'time' parameter of the…
PriorityP183critical9.4CVSS 4.0
AVAACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
61.68%
99.1th percentile
An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) via the 'time' parameter of the '/protocol.csp?' endpoint. The input is processed by the internal date '-s' command without rebooting or disrupting HTTP service. Unlike other injection points, this vector allows remote compromise without triggering visible configuration changes.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| shenzhen_aitemi_e_commerce_co_ltd | m300_wi-fi_repeater | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandfname=system&opt=time_conf&function=set&time=<payload>
otherhttp.favicon.hash:-741058468
othericon_hash="-741058468" && server=="lighttpd/1.4.32"
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Shenzhen Atemi protocol.csp time Parameter Command Injection Attempt (CVE-2025-34152)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:17; content:"/protocol.csp|3f|"; http.request_body; content:"fname|3d|system"; fast_pattern; content:"time|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,chocapikk.com/posts/2025/when-a-wifi-name-gives-you-root-part-two/; reference:cve,2025-34152; classtype:attempted-admin; sid:2064883; rev:1;)
- →Exploit traffic is HTTP POST to URI /protocol.csp (exactly 17 bytes including the '?' delimiter) with request body containing 'fname=system' and 'time=' followed by shell metacharacters (;, newline, backtick, pipe, $).
- →No authentication is required; the injection executes with root privileges without requiring a reboot or network reconfiguration, so there will be no visible configuration changes on the device. ↗
- →Fingerprint vulnerable devices using Shodan favicon hash -741058468 combined with server banner 'lighttpd/1.4.32', or the equivalent FOFA query.
- →The X-Requested-With: XMLHttpRequest header and Content-Type: application/x-www-form-urlencoded are present in exploit requests; absence of authentication headers is notable.
- →A Metasploit module exists for this vulnerability at modules/exploits/linux/http/aitemi_m300_time_rce.rb; monitor for its characteristic request patterns. ↗
- ·The Snort/Suricata rule (sid:2064883) is scoped to plaintext HTTP only (tls_state plaintext); encrypted traffic to the device would not be detected by this rule.
- ·The URI bsize match is exactly 17 bytes ('/protocol.csp?'), so any URL variation (e.g., additional query parameters beyond the bare '?') may evade the URI-length check.
- ·The nuclei template uses an out-of-band DNS interaction (interactsh) for confirmation; internal/air-gapped deployments will not trigger the DNS callback matcher.
CVSS provenance
nvdv4.09.4CRITICALCVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.4CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9r22-x3wm-vrr9: An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) via the 'time' parameter
ghsa_unreviewed·2025-08-07
CVE-2025-34152 [CRITICAL] CWE-78 GHSA-9r22-x3wm-vrr9: An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) via the 'time' parameter
An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) via the 'time' parameter of the '/protocol.csp?' endpoint. The input is processed by the internal date '-s' command without rebooting or disrupting HTTP service. Unlike other injection points, this vector allows remote compromise without triggering visible configuration changes.
VulnCheck
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2025·CVSS 9.4
CVE-2025-34152 [CRITICAL] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) via the 'time' parameter of the '/protocol.csp?' endpoint. The input is processed by the internal date '-s' command without rebooting or disrupting HTTP service. Unlike other injection points, this vector allows remote compromise without triggering visible configuration changes.
Affected: Shenzhen Aitemi M300 Wi-Fi Repeater
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://attackerkb.com/assessments/f9232c59-7c73-4a11-be35-41796596deb5;
Suricata
ET WEB_SPECIFIC_APPS Shenzhen Atemi protocol.csp time Parameter Command Injection Attempt (CVE-2025-34152)
suricata·2025-09-23·CVSS 9.4
CVE-2025-34152 [CRITICAL] ET WEB_SPECIFIC_APPS Shenzhen Atemi protocol.csp time Parameter Command Injection Attempt (CVE-2025-34152)
ET WEB_SPECIFIC_APPS Shenzhen Atemi protocol.csp time Parameter Command Injection Attempt (CVE-2025-34152)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Shenzhen Atemi protocol.csp time Parameter Command Injection Attempt (CVE-2025-34152)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:17; content:"/protocol.csp|3f|"; http.request_body; content:"fname|3d|system"; fast_pattern; content:"time|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,chocapikk.com/posts/2025/when-a-wifi-name-gives-you-root-part-two/; reference:cve,2025-34152; classtype:attempted-admin; sid:2064883; rev:1; metadata:affected_product Shenzhen_Atemi, attack_target Networking_Equipment, tls_state plaint
Nuclei
Shenzhen Aitemi M300 Wi-Fi Repeater – Unauthenticated Remote Command Execution via `time` Parameter
nuclei·CVSS 9.4
CVE-2025-34152 [CRITICAL] Shenzhen Aitemi M300 Wi-Fi Repeater – Unauthenticated Remote Command Execution via `time` Parameter
Shenzhen Aitemi M300 Wi-Fi Repeater – Unauthenticated Remote Command Execution via `time` Parameter
An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) via the 'time' parameter of the '/protocol.csp?' endpoint. The input is processed by the internal date '-s' command without rebooting or disrupting HTTP service. Unlike other injection points, this vector allows remote compromise without triggering visible configuration changes.
Template:
id: CVE-2025-34152
info:
name: Shenzhen Aitemi M300 Wi-Fi Repeater – Unauthenticated Remote Command Execution via `time` Parameter
author: Chocapikk,DhiyaneshDk
severity: critical
description: |
An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M
Metasploit
Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated RCE (time param)
metasploit
Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated RCE (time param)
Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated RCE (time param)
This module exploits an unauthenticated remote command injection vulnerability in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). The vulnerability lies in the 'time' parameter of the time configuration endpoint, which is passed unsanitized to a shell command executed via the `date -s` mechanism. The injection executes with root privileges, without requiring authentication, reboot, or network reconfiguration.
2025-08-07
Published
Exploited in the wild