Home

Description

An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). When configuring the device in Extender mode via its captive portal, the extap2g SSID field is inserted unescaped into a reboot-time shell script. This allows remote attackers within Wi-Fi range to inject arbitrary shell commands that execute as root during device reboot, leading to full system compromise.

PUBLISHED Reserved 2025-04-15 | Published 2025-08-04 | Updated 2025-12-01 | Assigner VulnCheck




CRITICAL: 9.4CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
unaffected

*
affected

Credits

Valentin Lobstein (Chocapikk) finder

Dinesh Aswin S. (esistdini) finder

References

chocapikk.com/posts/2025/when-a-wifi-name-gives-you-root/ technical-description exploit

www.aliexpress.us/item/3256806767641280.html product

www.vulncheck.com/...-repeater-os-command-injection-via-ssid third-party-advisory

cve.org (CVE-2025-34147)

nvd.nist.gov (CVE-2025-34147)

Download JSON