All intelligence
// vulnerability record
cached · NVD via COSMOS syncCVE-2026-58457
CRITICALpublished 2026-07-01 20:17 UTC · 3 days ago · modified 2026-07-02 17:42 UTC
9.3
CVSS / 10
// description
Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) contains an unauthenticated OS command injection vulnerability that allows network-adjacent attackers to execute arbitrary shell commands by injecting unsanitized input through the smacfilter_conf handler in the commuos web backend. Attackers can append semicolon-delimited payloads to the name, enable, or mac GET parameters, which are passed without sanitization into sprintf() to build uci shell commands executed via doSystemCmdComlib(), granting full root-level control of the device.
// weaknesses (CWE)
- CWE-78