OS Command Injection Vulnerability in Shenzhen Aitemi M300 Wi-Fi Repeater
CVE-2025-34147

9.4CRITICAL

Key Information:

Vendor: Shenzhen Aitemi E Commerce Co. Ltd.
Status: M300 Wi-fi Repeater
Vendor: CVE Published:; 4 August 2025

🔔 Create Shenzhen Aitemi E Commerce Co. Ltd. Vulnerability Alert

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-34147?

An OS command injection vulnerability allows attackers within Wi-Fi range to exploit the Shenzhen Aitemi M300 Wi-Fi Repeater. By injecting arbitrary shell commands through the extap2g SSID field during the device's configuration in Extender mode, unauthorized users can execute commands with root privileges upon device reboot. This represents a significant security risk, as it could lead to complete system compromise and unauthorized access to the device.

Affected Version(s)

M300 Wi-Fi Repeater *

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-34147 - Proof of Concept

References

https://chocapikk.com/posts/2025/when-a-wifi-name-gives-y...

technical-descriptionexploit

https://www.aliexpress.us/item/3256806767641280.html

product

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Aug 4, 2025
👾
Exploit known to exist
Aug 4, 2025
Vulnerability published
Aug 4, 2025
Vulnerability Reserved
Apr 15, 2025

Credit

Valentin Lobstein (Chocapikk)

Jared Brits (K3ysTr0K3R)

Semih Y. (r00tm4st3r)

Dinesh Aswin S. (esistdini)