CVE-2025-34152 CRITICAL

CVE-2025-34152: Shenzhen Aitemi M300 Wi-Fi Repeater OS Command Injection via Time Parameter

Vendor Shenzhen Aitemi E Commerce Co. Ltd.

Product M300 Wi-Fi Repeater

Weakness CWE-78

Published August 7, 2025

Last update December 1, 2025

View on NVD All CVEs

CVSS base score

9.4/10

Attack vector Adjacent

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) via the 'time' parameter of the '/protocol.csp?' endpoint. The input is processed by the internal date '-s' command without rebooting or disrupting HTTP service. Unlike other injection points, this vector allows remote compromise without triggering visible configuration changes.

Key dates

02Disclosure timeline

August 7, 2025 CVE published

December 1, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-34152 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

Identifiers

CVE CVE-2025-34152

CWE CWE-78

CVSS 9.4 / CRITICAL

Affected versions