Command Injection Vulnerability in Shenzhen Aitemi M300 Wi-Fi Repeater

CVE-2025-34152

What is CVE-2025-34152?

CVE-2025-34152 is a command injection vulnerability affecting the Shenzhen Aitemi M300 Wi-Fi Repeater, specifically through its /protocol.csp? endpoint. This vulnerability arises from the mishandling of the 'time' parameter, allowing unauthorized users to execute arbitrary operating system commands without requiring authentication. The risk is pronounced as it enables remote attackers to conduct commands without visually altering the device's configuration or affecting its HTTP service. Given the prevalence of Wi-Fi repeaters in home and business networks, this flaw could have widespread implications, exposing sensitive network data and functionality to external threats.

Potential impact of CVE-2025-34152

1. Remote Code Execution: Attackers can exploit this vulnerability to execute arbitrary commands on the device remotely, potentially leading to full control over the compromised Wi-Fi repeater. This could facilitate broader network attacks, allowing further intrusions into the domestic or corporate environment.

2. Network Compromise: The ability to execute commands may allow attackers to intercept and manipulate network traffic. This might lead to data exfiltration, unauthorized monitoring, or even deploying additional malware into the network, further amplifying security risks.

3. Denial of Service: Malicious actors could potentially disrupt the functionality of the M300 Wi-Fi Repeater, leading to denial of service for legitimate users. This could impair business operations or compromise essential communication channels in critical situations.

References