CVE-2026-58457
Received Received - Intake

Unauthenticated OS Command Injection in Shenzhen Aitemi M300 Wi-Fi Repeater

Vulnerability report for CVE-2026-58457, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: VulnCheck

Description

Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) contains an unauthenticated OS command injection vulnerability that allows network-adjacent attackers to execute arbitrary shell commands by injecting unsanitized input through the smacfilter_conf handler in the commuos web backend. Attackers can append semicolon-delimited payloads to the name, enable, or mac GET parameters, which are passed without sanitization into sprintf() to build uci shell commands executed via doSystemCmdComlib(), granting full root-level control of the device.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
shenzhen aitemi_m300_mt02 *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58457 is an unauthenticated OS command injection vulnerability in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). It allows network-adjacent attackers to execute arbitrary shell commands with root privileges by injecting unsanitized input through the smacfilter_conf handler in the commuos web backend.

Attackers exploit this by appending semicolon-delimited payloads to the name, enable, or mac GET parameters. These parameters are passed without sanitization into sprintf() to build uci shell commands, which are then executed via doSystemCmdComlib(), granting full root-level control of the device.

Additional issues include poor input validation, unsafe use of sprintf() functions, and insecure filesystem practices, such as writable filesystems and the ability to relocate critical binaries.

Impact Analysis

This vulnerability can have severe impacts as it grants attackers full root-level control over the affected device without any authentication.

  • Attackers can execute arbitrary shell commands remotely.
  • They can manipulate device configurations, create or delete files, and potentially change the root password.
  • The device could be used as a foothold for further network attacks or to disrupt network operations.
  • Insecure filesystem practices may allow attackers to relocate critical binaries, increasing the risk of persistent compromise.
Detection Guidance

This vulnerability can be detected by sending crafted HTTP GET requests to the /protocol.csp endpoint targeting the smacfilter_conf handler. Specifically, appending semicolon-delimited payloads to the name, enable, or mac parameters can test for command injection.

A proof-of-concept involves appending commands like "; touch 1" to these parameters and observing if the command executes on the device, such as by checking for the creation of a file named '1'.

Example command using curl to test the vulnerability:

  • curl "http://<device-ip>/protocol.csp?name=test; touch 1"

If the file '1' appears on the device filesystem, it confirms the command injection vulnerability.

Mitigation Strategies

Immediate mitigation steps include restricting network access to the affected device to trusted users only, especially blocking access to the /protocol.csp endpoint from untrusted networks.

Since the vulnerability allows unauthenticated root-level command execution, it is critical to isolate the device from the internet or untrusted networks until a firmware update or patch is available.

Additionally, monitor the device for any suspicious activity or unexpected files (e.g., files created by injected commands) and consider resetting the device to factory defaults after ensuring no compromise.

Long-term mitigation requires applying vendor-provided patches or firmware updates that sanitize input parameters and fix the command injection flaw.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58457. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart