Home

Description

Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain authenticated OS command injection vulnerabilities in multiple web-accessible PHP scripts that call exec() and allow an authenticated attacker to execute arbitrary commands. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet.

PUBLISHED Reserved 2025-04-15 | Published 2025-10-16 | Updated 2025-10-16 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
unknown

*
affected

Credits

Gjoko Krstic of Zero Science Lab finder

References

www.ilevia.com/ product

www.vulncheck.com/...ia-eve-x1-server-auth-command-injection third-party-advisory

cve.org (CVE-2025-34514)

nvd.nist.gov (CVE-2025-34514)

Download JSON