Skip to main content

M300 Wi-Fi Repeater EUVDEUVD-2026-41128

| CVE-2026-58457 CRITICAL
OS Command Injection (CWE-78)
2026-07-01 VulnCheck GHSA-gfhx-3hfg-x9hv
9.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Description says 'network-adjacent,' so AV:A rather than AV:N; unauthenticated (PR:N) with no interaction, and root command execution yields full C:H/I:H/A:H.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 20:15 vuln.today
CVE Published
Jul 01, 2026 - 19:22 cve.org
CRITICAL 9.3

DescriptionCVE.org

Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) contains an unauthenticated OS command injection vulnerability that allows network-adjacent attackers to execute arbitrary shell commands by injecting unsanitized input through the smacfilter_conf handler in the commuos web backend. Attackers can append semicolon-delimited payloads to the name, enable, or mac GET parameters, which are passed without sanitization into sprintf() to build uci shell commands executed via doSystemCmdComlib(), granting full root-level control of the device.

AnalysisAI

Unauthenticated OS command injection in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) lets network-adjacent attackers run arbitrary shell commands as root through the smacfilter_conf handler in the commuos web backend. Publicly available exploit code exists (published by VulnCheck/IEATASICS), and successful exploitation grants full device takeover; the flaw carries a CVSS 4.0 base score of 9.3 but is reachable only by attackers adjacent to the device's network. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Join or reach device LAN/Wi-Fi
Delivery
Send crafted GET to smacfilter_conf
Exploit
Inject semicolon payload in mac/name/enable
Execution
Payload passed via sprintf to uci command
Persist
doSystemCmdComlib executes as root
Impact
Full root control of repeater

Vulnerability AssessmentAI

Exploitation Exploitation requires network adjacency to the device - the attacker must be able to reach the M300's web backend, typically by being connected to or in range of the repeater's LAN/Wi-Fi (the description states 'network-adjacent,' which limits exploitation despite the input vector's AV:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals mostly align toward high technical severity but limited real-world blast radius. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has joined or is adjacent to the same Wi-Fi/LAN as the repeater sends a crafted HTTP GET request to the smacfilter_conf endpoint, appending a semicolon-delimited shell payload (e.g., in the mac parameter) such as a reverse-shell or telnetd command. Because the input flows unsanitized through sprintf() into a root-level doSystemCmdComlib() call, the injected command runs as root, giving full device control. …
Remediation No vendor-released patch identified at time of analysis, and the CPE shows all versions affected, so remediation must rely on compensating controls. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Aitemi M300 MT02 units in your environment and immediately isolate them from production networks or restrict administrative access to locked-down management VLANs only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41128 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy