CVE-2025-34147
BaseFortify
Publication date: 2025-08-04
Last updated on: 2025-11-04
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shenzhen_meitai | electronic_commerce | m300_wifi_repeater |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-34147 is a critical command injection vulnerability in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). When configuring the device in Extender mode via its captive portal, the extap2g SSID field is inserted unescaped into a shell script that runs at reboot. This allows remote attackers within Wi-Fi range to inject arbitrary shell commands using the $(...) syntax in the SSID field, which execute as root during device reboot, leading to full system compromise without requiring physical access or hardware modification. [1]
How can this vulnerability impact me? :
This vulnerability allows an attacker within Wi-Fi range to execute arbitrary commands on the device with root privileges during reboot. This can lead to full system compromise, including starting unauthorized services like Telnet, adding SSH keys for persistent access, or wiping the device's flash memory. The attacker does not need physical access or special hardware interfaces, making exploitation easy and dangerous. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the device's SSID field accepts and executes shell commands. One way to test is to set the extap2g SSID to a payload like "$(id)" via the captive portal and then reboot the device. If the device executes the command and the SSID broadcasts the root user ID output, it is vulnerable. There are no specific network scanning commands provided, but testing the SSID injection via the captive portal is the primary detection method. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding setting or accepting untrusted SSID names in the extender's captive portal, especially those containing shell command syntax like "$(...)". Since firmware patching is unlikely, restricting access to the device's configuration interface and disabling remote configuration may help. Ultimately, proper input validation and sanitization on the device firmware is recommended, but as an immediate step, do not use or allow SSIDs with special characters that could be interpreted as commands. [1]