CVE-2025-34152 is an OS command injection vulnerability classified under CWE-78 affecting the Shenzhen Aitemi M300 Wi-Fi Repeater (model MT02). The flaw exists in the handling of the 'time' parameter on the '/protocol.csp?' HTTP endpoint, which is processed by the device’s internal date '-s' command. This improper neutralization of special elements allows an unauthenticated remote attacker to inject arbitrary OS commands. Unlike other injection points, this vector does not require authentication, user interaction, or cause visible configuration changes or service disruptions, making detection difficult. The vulnerability enables attackers to execute commands with the privileges of the device’s operating system, potentially leading to full device compromise, data exfiltration, or pivoting to internal networks. The CVSS 4.0 score of 9.4 reflects the high impact on confidentiality, integrity, and availability, with low attack complexity and no privileges or user interaction needed. No patches or official mitigations have been published yet, and no exploits are currently known in the wild, though the risk of exploitation remains significant due to the device’s network exposure and critical role in connectivity. The vulnerability highlights the need for immediate risk assessment and protective measures in environments deploying this hardware.

The impact on European organizations using the Shenzhen Aitemi M300 Wi-Fi Repeater can be severe. Successful exploitation allows attackers to execute arbitrary commands remotely without authentication, risking full device compromise. This can lead to unauthorized access to internal networks, interception or manipulation of network traffic, and potential lateral movement to other critical systems. Confidentiality is at risk due to possible data leakage; integrity can be compromised by altering device configurations or injecting malicious payloads; availability may be affected if attackers disrupt network services or use the device as a foothold for further attacks. The stealthy nature of the exploit, which does not cause visible configuration changes or service interruptions, complicates detection and response. European enterprises relying on these repeaters for network extension or IoT connectivity face increased exposure, especially in sectors with stringent data protection requirements such as finance, healthcare, and government. The absence of patches increases the window of vulnerability, necessitating immediate compensating controls to mitigate risk.

Given the lack of available patches, European organizations should implement several specific mitigations: 1) Conduct a comprehensive inventory to identify all Shenzhen Aitemi M300 Wi-Fi Repeaters in use. 2) Isolate these devices on segmented network zones with strict access controls to limit exposure to untrusted networks. 3) Employ network intrusion detection/prevention systems (IDS/IPS) configured to detect anomalous HTTP requests targeting the '/protocol.csp?' endpoint, especially those manipulating the 'time' parameter. 4) Disable or restrict remote management interfaces if not required, or enforce strong authentication and access control policies. 5) Monitor device logs and network traffic for unusual command execution patterns or unexpected outbound connections. 6) Engage with the vendor for updates or patches and plan for device replacement if no remediation is forthcoming. 7) Educate network administrators about this vulnerability and the importance of rapid incident response. 8) Consider deploying application-layer firewalls or web application firewalls (WAFs) to filter malicious payloads targeting the vulnerable endpoint. These targeted actions go beyond generic advice and address the specific exploitation vector and device context.