CVE-2025-34151 is a critical OS command injection vulnerability identified in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). The vulnerability resides in the 'passwd' parameter used during the PPPoE setup process. Specifically, the device firmware fails to properly sanitize or neutralize special characters in this parameter before passing it to underlying system-level commands. This improper input validation (CWE-78) enables an unauthenticated remote attacker to inject arbitrary OS commands. Because the input is executed with root privileges, successful exploitation results in full system compromise, allowing attackers to execute arbitrary code, modify device configurations, or pivot into internal networks. The vulnerability affects all versions of the M300 repeater, indicating a design or implementation flaw present since initial release. The CVSS 4.0 vector (AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) highlights that the attack requires network access (adjacent), has low complexity, no privileges or user interaction needed, and results in high confidentiality, integrity, and availability impacts. Although no exploits have been reported in the wild yet, the vulnerability’s characteristics make it a prime candidate for rapid weaponization. The lack of available patches at the time of publication increases exposure. The vulnerability is particularly dangerous in environments where these repeaters are deployed at network edges or in unmanaged segments, as attackers can leverage them as footholds for broader network intrusion.

For European organizations, this vulnerability poses a severe risk of network compromise through a widely deployed IoT device. The M300 Wi-Fi repeater is often used to extend wireless coverage in small offices, homes, and some enterprise environments. Exploitation could lead to unauthorized access to internal networks, interception or manipulation of network traffic, and disruption of network availability. Given the root-level access gained, attackers could install persistent backdoors or launch further attacks against connected systems. Critical infrastructure sectors relying on these devices for connectivity, such as manufacturing, healthcare, and telecommunications, could face operational disruptions or data breaches. The vulnerability’s remote and unauthenticated nature means attackers can exploit it without prior access, increasing the attack surface. Additionally, the lack of patches or mitigations at publication time means organizations must rely on network segmentation and monitoring to reduce risk. The potential for lateral movement from compromised repeaters to sensitive systems elevates the threat to national security and business continuity in Europe.

1. Immediate identification and inventory of all Shenzhen Aitemi M300 Wi-Fi Repeaters within the network environment. 2. Restrict network access to the device management interfaces, especially the PPPoE setup process, by implementing strict firewall rules and network segmentation to limit exposure to trusted administrators only. 3. Monitor network traffic for unusual or malformed PPPoE setup requests that could indicate exploitation attempts. 4. Engage with Shenzhen Aitemi E Commerce Co. Ltd. to obtain firmware updates or patches addressing this vulnerability as soon as they become available. 5. If patches are unavailable, consider temporary device replacement or disabling PPPoE functionality if not required. 6. Employ intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics capable of detecting command injection patterns targeting the 'passwd' parameter. 7. Conduct regular security audits and penetration testing focusing on IoT devices to identify similar vulnerabilities. 8. Educate network administrators about the risks of unmanaged IoT devices and enforce strict configuration management policies. 9. Implement network anomaly detection tools to identify lateral movement or unusual device behavior post-compromise. 10. Maintain up-to-date asset management and vulnerability scanning to quickly respond to emerging threats.