CVE-2025-34513
Published: 16 October 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2025-34513 is an OS command injection vulnerability (CWE-78) affecting Ilevia EVE X1 Server firmware versions up to and including 4.7.18.0.eden. The flaw resides in the mbus_build_from_csv.php component, enabling an unauthenticated attacker to execute arbitrary operating system commands. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and potential for complete system compromise.
An unauthenticated remote attacker can exploit this vulnerability over the network by sending a specially crafted request to the vulnerable endpoint, achieving arbitrary code execution on the underlying server. Successful exploitation grants high confidentiality, integrity, and availability impacts, potentially allowing full control over the affected device, including data exfiltration, persistence, or further lateral movement within the target environment.
Advisories from VulnCheck and Zero Science Labs detail the issue, while Ilevia has explicitly declined to provide a patch or further servicing. The vendor recommends that customers avoid exposing port 8080 to the internet as the primary mitigation, emphasizing network segmentation and access controls to prevent exploitation.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated OS command injection in a network-accessible PHP endpoint (port 8080) enables exploitation of a public-facing application (T1190) for arbitrary Unix shell command execution (T1059.004).