CVE-2025-34147 CRITICAL

CVE-2025-34147: Shenzhen Aitemi M300 Wi-Fi Repeater OS Command Injection via SSID

Vendor Shenzhen Aitemi E Commerce Co. Ltd.

Product M300 Wi-Fi Repeater

Weakness CWE-78

Published August 4, 2025

Last update December 1, 2025

View on NVD All CVEs

CVSS base score

9.4/10

Attack vector Adjacent

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). When configuring the device in Extender mode via its captive portal, the extap2g SSID field is inserted unescaped into a reboot-time shell script. This allows remote attackers within Wi-Fi range to inject arbitrary shell commands that execute as root during device reboot, leading to full system compromise.

Key dates

02Disclosure timeline

August 4, 2025 CVE published

December 1, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-34147

Related vulnerabilities

Identifiers

CVE CVE-2025-34147

CWE CWE-78

CVSS 9.4 / CRITICAL

Affected versions