CVE-2025-34152

CRITICAL EXPLOITED NUCLEI

Shenzhen Aitemi M300 Wi-Fi Repeater - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-34152 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including Chocapikk, kh4sh3i, Valentin Lobstein, including a Metasploit module exploits/linux/http/aitemi_m300_time_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This Go-based exploit targets an unauthenticated RCE vulnerability in Shenzhen Aitemi M300 Wi-Fi Repeater by injecting a reverse shell payload via the 'time' parameter in a POST request to '/protocol.csp'. The payload uses a named pipe and netcat to establish a reverse shell.

Description

An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) via the 'time' parameter of the '/protocol.csp?' endpoint. The input is processed by the internal date '-s' command without rebooting or disrupting HTTP service. Unlike other injection points, this vector allows remote compromise without triggering visible configuration changes.

Exploits (3)

nomisec WORKING POC 4 stars
by Chocapikk · remote
https://github.com/Chocapikk/CVE-2025-34152

This Go-based exploit targets an unauthenticated RCE vulnerability in Shenzhen Aitemi M300 Wi-Fi Repeater by injecting a reverse shell payload via the 'time' parameter in a POST request to '/protocol.csp'. The payload uses a named pipe and netcat to establish a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Shenzhen Aitemi M300 Wi-Fi Repeater (lighttpd/1.4.32)
No auth needed
Prerequisites: Network access to the target device · Attacker-controlled listener for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by kh4sh3i · remote
https://github.com/kh4sh3i/CVE-2025-34152

This Go-based exploit targets an unauthenticated RCE vulnerability in Shenzhen Aitemi M300 Wi-Fi Repeaters (CVE-2025-34152). It leverages command injection via the `protocol.csp` endpoint to spawn a reverse shell using `nc` and a named pipe.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Shenzhen Aitemi M300 Wi-Fi Repeater (versions 1.0.x, 1.1.x, 1.2.x)
No auth needed
Prerequisites: Attacker-controlled host with `nc` or equivalent for reverse shell · Network access to the target device
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by Valentin Lobstein · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/aitemi_m300_time_rce.rb

This Metasploit module exploits an unauthenticated remote command injection vulnerability in the Shenzhen Aitemi M300 Wi-Fi Repeater. The vulnerability is in the 'time' parameter of the time configuration endpoint, which is passed unsanitized to a shell command executed via the `date -s` mechanism, allowing root-level command execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02)
No auth needed
Prerequisites: Network access to the target device · Target device must be running the vulnerable firmware
devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

Shenzhen Aitemi M300 Wi-Fi Repeater – Unauthenticated Remote Command Execution via `time` Parameter
CRITICALVERIFIEDby Chocapikk,DhiyaneshDk
Shodan: http.favicon.hash:-741058468 "lighttpd/1.4.32"
FOFA: icon_hash="-741058468" && server=="lighttpd/1.4.32"

References (3)

Core 3

Scores

CVSS v4 9.4
EPSS 0.2332
EPSS Percentile 96.1%
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

VulnCheck KEV 2025-09-15
CWE
CWE-78
Status published
Products (1)
Shenzhen Aitemi E Commerce Co. Ltd./M300 Wi-Fi Repeater
Published Aug 07, 2025
Tracked Since Feb 18, 2026