Cyber Posture

CVE-2025-60738

CriticalPublic PoC

Published: 20 November 2025

Published
20 November 2025
Modified
15 January 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0090 75.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

An issue in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before Logic Version v6.00 - 2025_07_21 and before allows a remote attacker to execute arbitrary code via the ping.php component does not perform secure filtering on IP parameters

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses the lack of secure filtering on IP parameters in ping.php by requiring validation of inputs to prevent command injection.

SI-2 Flaw Remediation good match
prevent

Ensures timely remediation of the command injection flaw through firmware updates for affected Ilevia EVE X1 Server versions.

SI-9 Information Input Restrictions partial match
prevent

Restricts IP parameters to valid formats and quantities, mitigating injection attempts by blocking malformed inputs to ping.php.

Security SummaryAI

CVE-2025-60738 is a critical command injection vulnerability (CWE-78) affecting Ilevia EVE X1 Server Firmware versions v4.7.18.0.eden and earlier, as well as Logic Versions prior to v6.00-2025_07_21. The flaw exists in the ping.php component, which does not perform secure filtering on IP parameters, allowing remote attackers to execute arbitrary code. Published on 2025-11-20, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A remote attacker can exploit this vulnerability over the network without authentication, privileges, or user interaction. By crafting malicious IP parameters in requests to ping.php, the attacker achieves arbitrary code execution on the server, resulting in high-impact confidentiality, integrity, and availability violations, such as full system compromise.

The primary reference is a GitHub repository at https://github.com/iSee857/ilevia-EVE-X1-Server, which provides details on the vulnerability but does not specify official patches or mitigation steps in the available information.

Details

CWE(s)
CWE-78

Affected Products

ilevia
eve x1 server firmware
4.7.18.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability is a command injection in the public-facing ping.php web component, enabling unauthenticated remote arbitrary code execution, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References