CVE-2025-34187
HIGHIlevia EVE X1/X5 Server <= 4.7.18.0.eden - OS Command Injection via Sudoers Misconfiguration
Title source: llmDescription
Ilevia EVE X1/X5 Server version ≤ 4.7.18.0.eden contains a misconfiguration in the sudoers file that allows passwordless execution of certain Bash scripts. If these scripts are writable by web-facing users or accessible via command injection, attackers can replace them with malicious payloads. Execution with sudo grants full root access, resulting in remote privilege escalation and potential system compromise.
References (4)
Core 4
Core References
Product product
https://www.ilevia.com/
Exploit, Third Party Advisory technical-description
exploit
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5959.php
Exploit, Permissions Required, Third Party Advisory exploit
https://packetstorm.news/files/id/209226/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/ilevia-eve-x1-x5-server-reverse-rootshell
Scores
CVSS v3
8.8
EPSS
0.0319
EPSS Percentile
86.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-78
CWE-269
Status
published
Products (2)
ilevia/eve_x1_server_firmware
< 4.7.18.0
Ilevia Srl./EVE X1/X5 Server
< 4.7.18.0.eden (Logic version: 6.00)
Published
Sep 16, 2025
Tracked Since
Feb 18, 2026