CVE-2025-34150 is a critical OS command injection vulnerability identified in the PPPoE configuration interface of the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). The vulnerability arises due to improper neutralization of special elements in the 'user' parameter during network setup. Specifically, the device processes input unsafely, allowing an attacker to inject arbitrary system commands. Exploitation of this flaw can lead to execution of commands with root privileges, giving an attacker full control over the device. The vulnerability is classified under CWE-78, which pertains to improper neutralization of special elements used in OS commands. The CVSS 4.0 base score is 9.4, indicating a critical severity level. The attack vector is adjacent network (AV:A), meaning the attacker must have access to the local network or be able to connect to the device's management interface. The attack complexity is low (AC:L), no privileges or user interaction are required (PR:N, UI:N), and the impact on confidentiality, integrity, and availability is high (VC:H, VI:H, VA:H). No patches or known exploits in the wild are currently reported. This vulnerability affects all versions of the M300 Wi-Fi Repeater. Given the root-level command execution capability, an attacker could manipulate device configurations, intercept or redirect network traffic, deploy malware, or pivot to other internal network resources, posing a significant security risk.

For European organizations, this vulnerability poses a substantial threat, especially for those deploying Shenzhen Aitemi M300 Wi-Fi Repeaters in their network infrastructure. The device's role as a Wi-Fi repeater means it is often positioned within internal networks to extend wireless coverage, potentially bridging less secure wireless segments with critical internal systems. Successful exploitation could lead to full device compromise, enabling attackers to intercept sensitive communications, launch man-in-the-middle attacks, or use the compromised device as a foothold for lateral movement within corporate networks. This is particularly concerning for sectors with stringent data protection requirements such as finance, healthcare, and government entities in Europe. Additionally, the ability to execute commands as root without authentication or user interaction increases the risk of automated exploitation by attackers with local network access. The lack of available patches further exacerbates the risk, potentially leading to prolonged exposure. The vulnerability could also impact home users and small businesses using these devices, indirectly affecting larger organizations through supply chain or partner network compromises.

Given the absence of official patches, European organizations should take immediate and specific actions to mitigate this vulnerability. First, isolate the Shenzhen Aitemi M300 Wi-Fi Repeaters from critical network segments by placing them in segregated VLANs with strict access controls to limit exposure. Disable or restrict access to the PPPoE configuration interface, ideally allowing management only from trusted administrative hosts or via secure management networks. Implement network-level filtering to block unauthorized access to the device's management ports. Monitor network traffic for unusual activity originating from these devices, including unexpected command execution patterns or anomalous network connections. Where feasible, replace affected devices with alternative Wi-Fi repeaters from vendors with timely security support. For organizations that must continue using these devices, consider deploying host-based intrusion detection systems (HIDS) on critical endpoints to detect lateral movement attempts. Maintain up-to-date inventories of network devices to quickly identify and remediate affected hardware. Finally, engage with the vendor for updates or security advisories and subscribe to vulnerability intelligence feeds to stay informed about any forthcoming patches or exploit developments.