CVE-2025-34513
CRITICALIlevia EVE X1 Server Firmware <= 4.7.18.0.eden - Unauthenticated OS Command Injection in mbus_build_from_csv.php
Title source: llmDescription
Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain an OS command injection vulnerability in mbus_build_from_csv.php that allows an unauthenticated attacker to execute arbitrary code. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet.
References (3)
Core 3
Core References
Product product
https://www.ilevia.com/
Exploit, Third Party Advisory technical-description
exploit
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5962.php
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/ilevia-eve-x1-server-unauth-command-injection
Scores
CVSS v3
9.8
EPSS
0.0768
EPSS Percentile
93.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (2)
ilevia/eve_x1_server_firmware
< 4.7.18.0
Ilevia Srl./EVE X1 Server
< 4.7.18.0.eden
Published
Oct 16, 2025
Tracked Since
Feb 18, 2026