CVE-2025-34149 is an OS command injection vulnerability classified under CWE-78, affecting the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). The vulnerability arises because the device's WPA2 configuration process accepts a 'key' parameter that is directly interpreted by the system shell without proper sanitization or neutralization of special characters. This improper input handling enables an attacker to inject arbitrary shell commands that execute with root privileges on the device. Notably, exploitation does not require authentication or user interaction, making it remotely exploitable during the wireless setup phase. The vulnerability impacts all versions of the M300 repeater, indicating a systemic flaw in the device firmware. The CVSS 4.0 base score of 9.4 reflects a critical severity, with high impact on confidentiality, integrity, and availability, and low attack complexity. Although no public exploits have been reported yet, the ease of exploitation and root-level command execution potential make this a high-risk vulnerability. The device’s role as a Wi-Fi repeater means compromise could allow attackers to intercept, manipulate, or disrupt network traffic, or use the device as a foothold for lateral movement within networks. The lack of authentication requirement during setup further exacerbates the risk, especially in environments where device setup interfaces are exposed or insufficiently protected.

For European organizations, the impact of CVE-2025-34149 can be substantial. Compromise of the M300 Wi-Fi repeater could lead to unauthorized network access, interception of sensitive communications, and potential disruption of wireless connectivity. Given the root-level command execution, attackers could install persistent malware, pivot to other network segments, or exfiltrate confidential data. Critical infrastructure, enterprise networks, and public Wi-Fi deployments using these devices are particularly vulnerable. The vulnerability could undermine trust in network security, cause operational downtime, and lead to regulatory compliance issues under GDPR if personal data is exposed. The ease of exploitation without authentication increases the attack surface, especially in environments where these repeaters are deployed in semi-public or poorly secured locations. Additionally, the potential for attackers to manipulate WPA2 settings could weaken wireless security configurations, further exposing networks to additional attacks.

Immediate mitigation involves obtaining and applying firmware updates from Shenzhen Aitemi that address the command injection flaw. If no patch is currently available, organizations should restrict access to the device’s wireless setup interface by isolating the device on a separate management VLAN or using network access controls to limit connections to trusted administrators only. Disabling remote setup features or wireless configuration interfaces until a patch is applied can reduce exposure. Network monitoring should be enhanced to detect anomalous commands or traffic patterns originating from the M300 repeaters. Organizations should also consider replacing affected devices with more secure alternatives if timely patches are unavailable. Implementing strong physical security controls to prevent unauthorized local access to the devices is advisable. Finally, conducting a thorough network audit to identify all deployed Shenzhen Aitemi M300 devices will help in prioritizing remediation efforts.