CVE-2026-58457
Published: 01 July 2026
Summary
CVE-2026-58457 is a critical-severity OS Command Injection (CWE-78) vulnerability in Aliexpress (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-41128
Vulnerability details
Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) contains an unauthenticated OS command injection vulnerability that allows network-adjacent attackers to execute arbitrary shell commands by injecting unsanitized input through the smacfilter_conf handler in the commuos web backend. Attackers can append…
more
semicolon-delimited payloads to the name, enable, or mac GET parameters, which are passed without sanitization into sprintf() to build uci shell commands executed via doSystemCmdComlib(), granting full root-level control of the device.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated command injection in web backend directly enables exploitation of public-facing app (T1190) for arbitrary Unix shell execution (T1059.004).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of the name, enable, and mac GET parameters before they are passed to sprintf() and doSystemCmdComlib().
Enforces authentication and authorization on the commuos web backend so that unauthenticated network-adjacent actors cannot invoke smacfilter_conf.
Restricts the device to only the minimum required functions, disabling or removing the vulnerable smacfilter_conf handler and doSystemCmdComlib() capability.