CVE-2025-34148 CRITICAL

CVE-2025-34148: Shenzhen Aitemi M300 Wi-Fi Repeater OS Command Injection via WISP SSID

Vendor Shenzhen Aitemi E Commerce Co. Ltd.

Product M300 Wi-Fi Repeater

Weakness CWE-78

Published August 7, 2025

Last update December 1, 2025

View on NVD All CVEs

CVSS base score

9.4/10

Attack vector Adjacent

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). When configuring the device in WISP mode, the 'ssid' parameter is passed unsanitized to system-level scripts. This allows remote attackers within Wi-Fi range to inject arbitrary shell commands that execute as root, resulting in full device compromise.

Key dates

02Disclosure timeline

August 7, 2025 CVE published

December 1, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-34148 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

Identifiers

CVE CVE-2025-34148

CWE CWE-78

CVSS 9.4 / CRITICAL

Affected versions