Cyber Resilience

CVE-2026-58457

CriticalPublic PoCRCE

Published: 01 July 2026

Published
01 July 2026
Modified
02 July 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0167 74.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-58457 is a critical-severity OS Command Injection (CWE-78) vulnerability in Aliexpress (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) contains an unauthenticated OS command injection vulnerability that allows network-adjacent attackers to execute arbitrary shell commands by injecting unsanitized input through the smacfilter_conf handler in the commuos web backend. Attackers can append…

more

semicolon-delimited payloads to the name, enable, or mac GET parameters, which are passed without sanitization into sprintf() to build uci shell commands executed via doSystemCmdComlib(), granting full root-level control of the device.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated command injection in web backend directly enables exploitation of public-facing app (T1190) for arbitrary Unix shell execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Aliexpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of the name, enable, and mac GET parameters before they are passed to sprintf() and doSystemCmdComlib().

prevent

Enforces authentication and authorization on the commuos web backend so that unauthenticated network-adjacent actors cannot invoke smacfilter_conf.

prevent

Restricts the device to only the minimum required functions, disabling or removing the vulnerable smacfilter_conf handler and doSystemCmdComlib() capability.

References