HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-58457Published Modified CNA VulnCheck

CVE-2026-58457: Shenzhen Aitemi M300 MT02 Unauthenticated OS Command Injection via protocol.csp

Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) contains an unauthenticated OS command injection vulnerability that allows network-adjacent attackers to execute arbitrary shell commands by injecting unsanitized input through the smacfilter_conf handler in the commuos web backend. Attackers can append semicolon-delimited payloads to the name, enable, or mac GET parameters, which are passed without sanitization into sprintf() to build uci shell commands executed via doSystemCmdComlib(), granting full root-level control of the device.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an OS command injection vulnerability in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). The flaw is reachable over the network and requires no authentication, meaning any attacker who can reach the device's web interface can exploit it by appending shell commands to the name, enable, or mac GET parameters of the protocol.csp endpoint. Successful exploitation gives the attacker full root-level control of the device, including the ability to read data, modify configuration, and disrupt service. No upstream fix has been published; HarborGuard tracks the advisory and will make a patched rebuild available as soon as one is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-58457 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI/CD pipelines, including custom-built images that bundle the affected Aitemi firmware or web backend components.

Available
Triage

HarborGuard is capable of scoring matched findings at CVSS 9.3 Critical and weighting them against each environment's compliance policy to determine urgency. Routed findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, customers with auto-remediation enabled will receive compensating-control recommendations, such as network-policy isolation of the affected device management interface, as part of the finding workflow.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network; an attacker must be able to reach the device's web interface, which is typical for any host on the same network segment or with routed access to the repeater's management port.

  • AuthenticationNot required

    No credentials of any kind are required; the smacfilter_conf handler processes GET parameters before any authentication check is applied.

  • Victim interactionNot required

    Exploitation is fully automated and does not require any action from a user or administrator on the target device.

  • Attack complexityDetail

    The exploit is reliable and condition-free; injected semicolon-delimited payloads are passed directly into a sprintf/shell execution path without any filtering or rate-limiting that would require timing or environmental tuning.

Blast Radius

  • Attacker executes arbitrary shell commands as root, gaining full control of the device operating system.
  • Attacker reads all stored configuration data, including Wi-Fi credentials, network topology details, and any secrets held on the device.
  • Attacker modifies device configuration, redirects DNS, or installs persistent backdoors that survive reboots.
  • Attacker crashes or restarts the repeater, severing network connectivity for all clients depending on it.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-58457 at this time, the platform continuously re-checks the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment a fix version is published. For customers with auto-remediation enabled, that rebuild triggers a regression test run and a PR opened against affected workloads with no manual steps required. While waiting for an upstream fix, HarborGuard surfaces this finding at Critical severity and supports compensating controls including network-policy rules that restrict access to the device management interface to trusted source IPs, egress filtering to limit lateral movement from a compromised repeater, and feature-flag or firewall gating on the commuos web backend port. Customers whose compliance policy includes a mandatory remediation SLA for Critical findings will see this routed with the appropriate escalation path in their configured inbox.

See how HarborGuard automates this
Affected packages
  • Shenzhen Aitemi E Commerce Co. Ltd. / M300 Wi-Fi Repeater
    *
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N