CVE-2025-34512

MEDIUM

Ilevia EVE X1 Server Firmware <= 4.7.18.0.eden - Unauthenticated Reflected Cross-Site Scripting in index.php

Title source: llm
STIX 2.1

Description

Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain a reflected cross-site scripting (XSS) vulnerability in index.php that allows an unauthenticated attacker to execute arbitrary script in the victim's browser. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet.

References (3)

Core 3
Core References
Product product
https://www.ilevia.com/
Exploit, Third Party Advisory technical-description exploit
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5961.php

Scores

CVSS v3 6.1
EPSS 0.0037
EPSS Percentile 29.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
ilevia/eve_x1_server_firmware < 4.7.18.0
Ilevia Srl./EVE X1 Server < 4.7.18.0.eden
Published Oct 16, 2025
Tracked Since Feb 18, 2026