cbcvebase.
CVE-2025-34152
published 2025-08-07

CVE-2025-34152: An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) via the 'time' parameter of the…

PriorityP183critical9.4CVSS 4.0
AVAACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
61.68%
99.1th percentile
An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) via the 'time' parameter of the '/protocol.csp?' endpoint. The input is processed by the internal date '-s' command without rebooting or disrupting HTTP service. Unlike other injection points, this vector allows remote compromise without triggering visible configuration changes.

Affected

1 ranges
VendorProductVersion rangeFixed in
shenzhen_aitemi_e_commerce_co_ltdm300_wi-fi_repeater

Detection & IOCsextracted from sources · hover to see the quote

url/protocol.csp?x
path/protocol.csp
commandfname=system&opt=time_conf&function=set&time=<payload>
otherhttp.favicon.hash:-741058468
othericon_hash="-741058468" && server=="lighttpd/1.4.32"
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Shenzhen Atemi protocol.csp time Parameter Command Injection Attempt (CVE-2025-34152)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:17; content:"/protocol.csp|3f|"; http.request_body; content:"fname|3d|system"; fast_pattern; content:"time|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,chocapikk.com/posts/2025/when-a-wifi-name-gives-you-root-part-two/; reference:cve,2025-34152; classtype:attempted-admin; sid:2064883; rev:1;)
  • Exploit traffic is HTTP POST to URI /protocol.csp (exactly 17 bytes including the '?' delimiter) with request body containing 'fname=system' and 'time=' followed by shell metacharacters (;, newline, backtick, pipe, $).
  • No authentication is required; the injection executes with root privileges without requiring a reboot or network reconfiguration, so there will be no visible configuration changes on the device.
  • Fingerprint vulnerable devices using Shodan favicon hash -741058468 combined with server banner 'lighttpd/1.4.32', or the equivalent FOFA query.
  • The X-Requested-With: XMLHttpRequest header and Content-Type: application/x-www-form-urlencoded are present in exploit requests; absence of authentication headers is notable.
  • A Metasploit module exists for this vulnerability at modules/exploits/linux/http/aitemi_m300_time_rce.rb; monitor for its characteristic request patterns.
  • ·The Snort/Suricata rule (sid:2064883) is scoped to plaintext HTTP only (tls_state plaintext); encrypted traffic to the device would not be detected by this rule.
  • ·The URI bsize match is exactly 17 bytes ('/protocol.csp?'), so any URL variation (e.g., additional query parameters beyond the bare '?') may evade the URI-length check.
  • ·The nuclei template uses an out-of-band DNS interaction (interactsh) for confirmation; internal/air-gapped deployments will not trigger the DNS callback matcher.

CVSS provenance

nvdv4.09.4CRITICALCVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.4CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.