CVE-2025-34514
HIGHIlevia EVE X1 Server Firmware <= 4.7.18.0.eden - Authenticated OS Command Injection via PHP Scripts
Title source: llmDescription
Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain authenticated OS command injection vulnerabilities in multiple web-accessible PHP scripts that call exec() and allow an authenticated attacker to execute arbitrary commands. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet.
References (3)
Core 3
Core References
Product product
https://www.ilevia.com/
Third Party Advisory technical-description
exploit
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5966.php
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/ilevia-eve-x1-server-auth-command-injection
Scores
CVSS v3
8.8
EPSS
0.0207
EPSS Percentile
79.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (2)
ilevia/eve_x1_server_firmware
< 4.7.18.0
Ilevia Srl./EVE X1 Server
< 4.7.18.0.eden
Published
Oct 16, 2025
Tracked Since
Feb 18, 2026