Command Injection Vulnerability in Shenzhen Aitemi M300 Wi-Fi Repeater
CVE-2025-34149

9.4CRITICAL

Key Information:

Vendor

Shenzhen Aitemi E Commerce Co. Ltd.

Status
M300 Wi-fi Repeater
Vendor
CVE Published:
7 August 2025

Badges

👾 Exploit Exists

What is CVE-2025-34149?

A command injection vulnerability affects the Shenzhen Aitemi M300 Wi-Fi Repeater during the configuration process for WPA2. This issue arises because the 'key' parameter is executed directly by the system shell, allowing attackers to run arbitrary commands with root privileges. Notably, this vulnerability can be exploited without any form of authentication and can be triggered while setting up the device wirelessly, presenting significant security risks to users.

Affected Version(s)

M300 Wi-Fi Repeater *

References

https://chocapikk.com/posts/2025/when-a-wifi-name-gives-y...
technical-descriptionexploit
https://www.aliexpress.us/item/3256806767641280.html
product

CVSS V4

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Valentin Lobstein (Chocapikk)
Jared Brits (K3ysTr0K3R)
Semih Y. (r00tm4st3r)
Dinesh Aswin S. (esistdini)
.
CVE-2025-34149 : Command Injection Vulnerability in Shenzhen Aitemi M300 Wi-Fi Repeater