CVE-2026-58457: Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated OS Command Injection
An unauthenticated OS command injection vulnerability, CVE-2026-58457, exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02), allowing network-adjacent attackers to execute arbitrary shell commands and gain full root-level control by injecting unsanitized input into the `smacfilter_conf` handler's GET parameters within the `commuos` web backend.
What's new
- l1 OS linux Jul 17, 00:01 via sploitus
The National Vulnerability Database (NVD) has disclosed CVE-2026-58457, an unauthenticated OS command injection vulnerability affecting the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). This critical flaw allows network-adjacent attackers to achieve full root-level control over the device. Attackers can leverage the smacfilter_conf handler in the commuos web backend by injecting unsanitized input into the 'name', 'enable', or 'mac' GET parameters. This vulnerability stems from the device's firmware improperly handling user-supplied data, passing it directly to sprintf() and then executing it via doSystemCmdComlib(), making these devices highly susceptible to compromise without authentication.
Attack Chain
- Attacker identifies an internet-facing or network-adjacent Shenzhen Aitemi M300 Wi-Fi Repeater.
- Attacker crafts a malicious HTTP GET request targeting the
/commuos/smacfilter_confhandler in the device's web backend. - The request includes a payload appended with semicolon-delimited OS commands within the 'name', 'enable', or 'mac' GET parameters (e.g.,
?name=test;id). - The vulnerable
commuosweb backend receives the request and processes the injected parameters without proper sanitization. - The unsanitized input, including the attacker's OS command, is concatenated into a command string using
sprintf(). - The
doSystemCmdComlib()function executes the malformed command string with root privileges on the device's underlying operating system. - Attacker gains full root-level control over the Shenzhen Aitemi M300 Wi-Fi Repeater.
- Attacker can then perform actions such as installing backdoors, modifying network configurations, or launching further attacks from the compromised device.
Impact
A successful exploitation of CVE-2026-58457 grants network-adjacent attackers unauthenticated, full root-level control over the Shenzhen Aitemi M300 Wi-Fi Repeater. This level of access allows attackers to completely compromise the device, potentially reconfiguring it for malicious purposes, intercepting network traffic, launching denial-of-service attacks, or establishing a foothold within the victim's network. Given the nature of Wi-Fi repeaters, compromised devices could become an entry point for lateral movement or data exfiltration from connected devices on the network, posing a significant risk to data confidentiality, integrity, and availability for home and small office networks.
Recommendation
- Apply the vendor-provided firmware update for Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) that addresses CVE-2026-58457 immediately.
- Deploy the
Detects CVE-2026-58457 Exploitation — Shenzhen Aitemi M300 Wi-Fi Repeater OS Command InjectionSigma rule provided in this brief to your SIEM. - Ensure webserver access logs are enabled and forwarded to your SIEM for all internet-facing network devices to facilitate detection of exploitation attempts.
Detection coverage 1
Detects CVE-2026-58457 Exploitation — Shenzhen Aitemi M300 Wi-Fi Repeater OS Command Injection
highDetects exploitation attempts of CVE-2026-58457 by monitoring HTTP GET requests to the /commuos/smacfilter_conf handler with OS command injection characters in 'name', 'enable', or 'mac' parameters.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
4
url
| Type | Value |
|---|---|
| url | https://sploitus.com/exploit?id=5A474EE3-FF1F-594E-B4E1-2CAE4FE9D32A |
| url | http://your-ip:8080/ |
| url | https://www.vulncheck.com/advisories/shenzhen-aitemi-m300-mt02-unauthenticated-os-command-injection-via-protocol-csp |
| url | https://github.com/IEATASICS/m300-repeater-bugs |