CVE-2025-10364
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-12

Last updated on: 2025-09-15

Assigner: ONEKEY GmbH

Description
The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. This device exposes a web management interface on port 80. This web management interface can be used by administrators to control product features, setup network switching, and register license among other features. The application has been developed in PHP with the webEASY SDK, also named β€˜ewb’ by Evertz. This web interface has two endpoints that are vulnerable to arbitrary command injection (CVE-2025-4009, CVE-2025-10364) and the authentication mechanism has a flaw leading to authentication bypass (CVE-2025-10365). CVE-2025-4009 covers the command injection inΒ feature-transfer-import.php CVE-2025-10364 covers the command injection inΒ feature-transfer-export.php Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices. This level of access could lead to serious business impact such as the interruption of media streaming, modification of media being streamed, alteration of closed captions being generated, among others.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-12
Last Modified
2025-09-15
Generated
2026-05-27
AI Q&A
2025-09-12
EPSS Evaluated
2026-05-25
NVD
CVE-2025-10364
EUVD
EUVD-2025-29048
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
evertz sdvn_3080ipx 4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects the Evertz SDVN 3080ipx-10G device's web management interface, specifically in the feature-transfer-export.php endpoint. It allows remote unauthenticated attackers to perform arbitrary command injection, leading to execution of commands with root privileges on the device.


How can this vulnerability impact me? :

An attacker exploiting this vulnerability can gain root-level access to the affected device, potentially causing serious business impacts such as interruption of media streaming, modification of media content being streamed, and alteration of closed captions being generated.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart