CVE-2025-34149 is a critical OS command injection vulnerability identified in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). The flaw exists in the device's WPA2 wireless configuration process, specifically in the handling of the 'key' parameter. This parameter is passed directly to the system shell without proper sanitization or neutralization of special characters, which allows an unauthenticated attacker within wireless range to inject arbitrary shell commands. Because the commands execute with root privileges, an attacker can fully compromise the device, potentially gaining persistent control, altering configurations, or using the device as a foothold for lateral movement within a network. The vulnerability affects all versions of the M300 Wi-Fi Repeater, and exploitation requires no authentication or user interaction, making it highly accessible to attackers. The CVSS 4.0 base score is 9.4 (critical), reflecting the high impact on confidentiality, integrity, and availability, as well as the ease of exploitation and the lack of required privileges or user interaction. Although no public exploits have been reported yet, the vulnerability's nature and severity suggest it is a prime candidate for rapid weaponization. The absence of available patches at the time of publication further elevates the risk for users of this device. This vulnerability exemplifies CWE-78, improper neutralization of special elements used in OS commands, a common and dangerous class of injection flaws in embedded and IoT devices where input validation is insufficient.

For European organizations, the impact of this vulnerability can be severe, especially for those relying on Shenzhen Aitemi M300 Wi-Fi Repeaters in their network infrastructure. Compromise of these devices can lead to full device takeover, enabling attackers to intercept or manipulate network traffic, disrupt wireless connectivity, or pivot to other internal systems. This can result in data breaches, operational downtime, and loss of trust. Given the device's role in extending wireless coverage, attackers could use it as a persistent entry point into corporate or industrial networks. Critical sectors such as manufacturing, healthcare, and logistics that depend on reliable wireless connectivity could face significant operational disruptions. Additionally, the lack of authentication and the ability to exploit the vulnerability remotely over Wi-Fi increases the attack surface, making it easier for threat actors to target organizations without physical access. The vulnerability also poses risks to privacy and compliance with European data protection regulations (e.g., GDPR) if attackers exfiltrate sensitive data through compromised devices.

1. Immediate mitigation should focus on isolating affected M300 Wi-Fi Repeaters from sensitive networks until a vendor patch is available. 2. Network segmentation should be enforced to limit the reach of compromised devices, restricting their access to critical internal resources. 3. Monitor wireless networks for unusual configuration attempts or unexpected device behavior that could indicate exploitation attempts. 4. Disable or restrict remote wireless configuration features if possible, or require strong authentication mechanisms to reduce exposure. 5. If feasible, replace affected devices with alternative Wi-Fi repeaters from vendors with a strong security track record and timely patching policies. 6. Engage with Shenzhen Aitemi to obtain firmware updates or security advisories and apply patches promptly once released. 7. Employ network intrusion detection systems (NIDS) tuned to detect command injection patterns or anomalous shell command executions originating from Wi-Fi repeaters. 8. Conduct regular security audits and penetration testing focused on wireless infrastructure to identify and remediate similar vulnerabilities proactively.