Cyber Posture

CVE-2025-60739

CriticalPublic PoC

Published: 25 November 2025

Published
25 November 2025
Modified
30 December 2025
KEV Added
Patch
CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0016 36.0th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

Cross Site Request Forgery (CSRF) vulnerability in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before, Logic Version v6.00 - 2025_07_21 allows a remote attacker to execute arbitrary code via the /bh_web_backend component

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates the CSRF vulnerability by requiring validation of inputs to the /bh_web_backend component, such as CSRF tokens or origin headers, to prevent forged requests leading to arbitrary code execution.

SC-23 Session Authenticity good match
prevent

Protects session authenticity to ensure requests to the vulnerable endpoint originate from legitimate user sessions, blocking cross-site forgery attacks.

SI-2 Flaw Remediation good match
prevent

Remediates the specific CSRF flaw in Ilevia EVE X1 Server Firmware v4.7.18.0.eden and prior versions through timely patching or updates.

Security SummaryAI

CVE-2025-60739 is a Cross Site Request Forgery (CSRF) vulnerability in Ilevia EVE X1 Server Firmware version v4.7.18.0.eden and prior, as well as Logic Version v6.00 - 2025_07_21. The flaw exists in the /bh_web_backend component and enables a remote attacker to execute arbitrary code. It carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and is linked to CWEs-79, CWE-200, and CWE-352.

A remote attacker can exploit this vulnerability without authentication by tricking a user into performing an action via a malicious webpage or link, given the requirement for user interaction (UI:R). No privileges are needed (PR:N), and exploitation is straightforward over the network (AV:N) with low attack complexity (AC:L). Success grants high-impact confidentiality, integrity, and availability compromise, with scope expansion (S:C) allowing arbitrary code execution on the server.

Mitigation details and a proof-of-concept are available in the referenced GitHub repository at https://github.com/iSee857/ilevia-EVE-X1-Server-CSRF.

Details

CWE(s)
CWE-79CWE-200CWE-352

Affected Products

ilevia
eve x1 server firmware
4.7.18.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
Why these techniques?

CSRF and DOM-based XSS in public-facing web backend (/bh_web_backend.php) enable exploitation of the application (T1190) and JavaScript code execution (T1059.007) for information disclosure and arbitrary code execution.

References