CVE-2026-58457
CriticalCVSS 9.8Exploitation Probability (EPSS)
Elevated risk74th percentile — higher than 74% of all known CVEs
Summary
The Shenzhen Aitemi M300 Wi-Fi Repeater (model MT02) has an unauthenticated OS command injection vulnerability. Network-adjacent attackers can execute arbitrary shell commands by injecting unsanitized input through GET parameters in the smacfilter_conf handler of the commuos web backend.
Risk Assessment
The risk for the organization is that an unauthenticated attacker on the local network can gain full root-level control of the device, potentially compromising data confidentiality and integrity and using the repeater as a pivot point for further attacks.
Recommendation
Immediately restrict access to the device's web interface to trusted networks and apply firewall rules to limit traffic to essential services. Also, update the firmware if the vendor releases a patch.
Original NVD description (English source)
Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) contains an unauthenticated OS command injection vulnerability that allows network-adjacent attackers to execute arbitrary shell commands by injecting unsanitized input through the smacfilter_conf handler in the commuos web backend. Attackers can append semicolon-delimited payloads to the name, enable, or mac GET parameters, which are passed without sanitization into sprintf() to build uci shell commands executed via doSystemCmdComlib(), granting full root-level control of the device.

