CVE-2025-34514
BaseFortify
Publication date: 2025-10-16
Last updated on: 2025-11-25
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ilevia | eve_x1_server_firmware | to 4.7.18.0 (inc) |
| ilevia | eve_x1_server | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Ilevia EVE X1 Server firmware versions up to 4.7.18.0.eden and involves authenticated OS command injection in multiple web-accessible PHP scripts that use the exec() function. An attacker with authentication can exploit this to execute arbitrary commands on the server.
How can this vulnerability impact me? :
The vulnerability allows an authenticated attacker to execute arbitrary commands on the affected server, potentially leading to unauthorized control, data compromise, or disruption of services. Since the vendor does not provide a fix and recommends not exposing port 8080 to the internet, the risk increases if the server is accessible externally.
What immediate steps should I take to mitigate this vulnerability?
Ilevia recommends that customers do not expose port 8080 to the internet as an immediate mitigation step.