Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-34152

CVE-2025-34152: Shenzhen Aitemi M300 RCE Vulnerability

CVE-2025-34152 is an unauthenticated OS command injection in Shenzhen Aitemi M300 Wi-Fi Repeater that enables remote code execution via the time parameter without disrupting service or triggering configuration changes.

Published:

CVE-2025-34152 Overview

An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) via the time parameter of the /protocol.csp? endpoint. The input is processed by the internal date -s command without rebooting or disrupting HTTP service. Unlike other injection points, this vector allows remote compromise without triggering visible configuration changes.

This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and represents a critical security risk for network environments where the affected device is deployed.

Critical Impact

Unauthenticated attackers on the adjacent network can execute arbitrary OS commands with root privileges, potentially leading to complete device compromise, network pivoting, and persistent backdoor installation without visible configuration changes.

Affected Products

  • Shenzhen Aitemi M300 Wi-Fi Repeater
  • Hardware model MT02

Discovery Timeline

  • 2025-08-07 - CVE-2025-34152 published to NVD
  • 2025-11-04 - Last updated in NVD database

Technical Details for CVE-2025-34152

Vulnerability Analysis

This command injection vulnerability exists due to improper input validation in the /protocol.csp? endpoint of the Shenzhen Aitemi M300 Wi-Fi Repeater. The time parameter accepts user-supplied input that is directly passed to the date -s system command without adequate sanitization or escaping.

The attack vector requires adjacent network access, meaning an attacker must be on the same network segment as the vulnerable device. However, no authentication is required to exploit this vulnerability, significantly lowering the barrier to exploitation. The vulnerability allows for high impact on confidentiality, integrity, and availability of both the vulnerable system and potentially downstream systems on the network.

What makes this vulnerability particularly dangerous is that exploitation does not trigger a device reboot or disrupt the HTTP service, allowing attackers to maintain stealth during and after compromise. No visible configuration changes occur, making detection through normal administrative review difficult.

Root Cause

The root cause of this vulnerability is insufficient input validation and improper neutralization of special characters in the time parameter before it is passed to the underlying date -s operating system command. The web application fails to sanitize shell metacharacters such as semicolons, pipes, and command substitution operators, allowing attackers to inject additional commands that execute with the privileges of the web server process (typically root on embedded IoT devices).

Attack Vector

The vulnerability is exploitable from an adjacent network position without requiring any authentication. An attacker connected to the same network as the Wi-Fi repeater can send a malicious HTTP request to the /protocol.csp? endpoint with a crafted time parameter containing shell metacharacters and arbitrary commands.

The injected commands are executed in the context of the date -s system call, which typically runs with root privileges on embedded Linux systems. This allows attackers to execute arbitrary commands, download and execute malicious payloads, establish reverse shells, modify device configuration, or pivot to other devices on the network.

For detailed technical analysis and exploitation methodology, see the Chocapikk research blog post and the VulnCheck Security Advisory.

Detection Methods for CVE-2025-34152

Indicators of Compromise

  • Unusual HTTP requests to /protocol.csp? endpoint containing shell metacharacters in the time parameter
  • Unexpected outbound network connections from the Wi-Fi repeater device
  • Presence of unauthorized files or processes running on the device
  • Anomalous command execution patterns in device logs (if logging is available)

Detection Strategies

  • Monitor network traffic for HTTP requests to /protocol.csp? containing suspicious characters such as ;, |, $(), or backticks in parameter values
  • Deploy network intrusion detection rules to identify command injection patterns targeting IoT devices
  • Implement network segmentation monitoring to detect lateral movement attempts originating from IoT device network segments
  • Use behavioral analysis tools to identify anomalous traffic patterns from Wi-Fi repeater devices

Monitoring Recommendations

  • Segment IoT devices like Wi-Fi repeaters on isolated VLANs with strict access controls
  • Monitor DNS queries and outbound connections from IoT network segments for command-and-control indicators
  • Implement logging at the network perimeter to capture all traffic to and from IoT devices
  • Regularly audit devices on the network for unexpected firmware modifications or configuration changes

How to Mitigate CVE-2025-34152

Immediate Actions Required

  • Isolate affected Shenzhen Aitemi M300 Wi-Fi Repeater devices on a separate network segment with restricted access
  • Implement access control lists (ACLs) to limit which hosts can communicate with the device's web interface
  • Consider replacing the device with a more secure alternative if no patch is available from the manufacturer
  • Audit network logs for evidence of prior exploitation attempts

Patch Information

No vendor patch information is currently available for this vulnerability. Users should monitor the manufacturer's website and security advisories for firmware updates. Given the critical severity and the lack of vendor response typical for consumer IoT devices, replacement with a more secure device may be the most effective remediation strategy.

For additional context on the vulnerability and affected products, see the VulnCheck Security Advisory.

Workarounds

  • Place the Wi-Fi repeater behind a firewall that blocks direct access to the /protocol.csp? endpoint from untrusted hosts
  • Disable remote management features if available in the device configuration
  • Implement network-level access controls to restrict which devices can communicate with the repeater's management interface
  • Consider using a VPN or jump host architecture to access IoT device management interfaces
bash
# Example network isolation using iptables on a Linux gateway
# Block access to the vulnerable endpoint from all but trusted management hosts
iptables -A FORWARD -d <REPEATER_IP> -p tcp --dport 80 -m string --string "/protocol.csp?" --algo bm -j DROP
iptables -A FORWARD -s <TRUSTED_MGMT_IP> -d <REPEATER_IP> -p tcp --dport 80 -j ACCEPT

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne