CVE-2025-34184
CRITICALIlevia EVE X1 Server <= 4.7.18.0.eden - Unauthenticated OS Command Injection via 'passwd' Parameter
Title source: llmDescription
Ilevia EVE X1 Server version ≤ 4.7.18.0.eden contains an unauthenticated OS command injection vulnerability in the /ajax/php/login.php script. Remote attackers can execute arbitrary system commands by injecting payloads into the 'passwd' HTTP POST parameter, leading to full system compromise or denial of service.
References (4)
Core 4
Core References
Product product
https://www.ilevia.com/
Exploit, Third Party Advisory technical-description
exploit
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5956.php
Exploit, Third Party Advisory exploit
https://packetstorm.news/files/id/207717/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/ilevia-eve-x1-server-neuro-code-unauth-code-injection
Scores
CVSS v3
9.8
EPSS
0.0277
EPSS Percentile
84.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (2)
ilevia/eve_x1_server_firmware
< 4.7.18.0
Ilevia Srl./EVE X1 Server
< 4.7.18.0.eden (Logic version: 6.00)
Published
Sep 16, 2025
Tracked Since
Feb 18, 2026