CVE-2025-34186
CRITICALIlevia EVE X1/X5 Server <= 4.7.18.0.eden - Unauthenticated OS Command Injection via Authentication Mechanism
Title source: llmDescription
Ilevia EVE X1/X5 Server version ≤ 4.7.18.0.eden contains a vulnerability in its authentication mechanism. Unsanitized input is passed to a system() call for authentication, allowing attackers to inject special characters and manipulate command parsing. Because the binary interprets non-zero exit codes from system() as successful authentication, remote attackers can bypass authentication and gain full access to the system.
References (4)
Core 4
Core References
Product product
https://www.ilevia.com/
Exploit, Third Party Advisory technical-description
exploit
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5958.php
Exploit, Third Party Advisory exploit
https://packetstorm.news/files/id/208871/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/ilevia-eve-x1-x5-server-auth-bypass
Scores
CVSS v3
9.8
EPSS
0.0083
EPSS Percentile
52.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-287
CWE-78
Status
published
Products (2)
ilevia/eve_x1_server_firmware
< 4.7.18.0
Ilevia Srl./EVE X1/X5 Server
< 4.7.18.0.eden (Logic version: 6.00)
Published
Sep 16, 2025
Tracked Since
Feb 18, 2026