PT-2025-38074 · Ilevia · Ilevia Eve X1 Server
Gjoko Krstic
·
Published
2025-09-16
·
Updated
2025-09-25
·
CVE-2025-34184
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Ilevia EVE X1 Server versions prior to 4.7.18.0.eden
Description
Ilevia EVE X1 Server is susceptible to an unauthenticated OS command injection. Attackers can execute arbitrary system commands by injecting payloads into the
passwd HTTP POST parameter of the /ajax/php/login.php API endpoint, potentially leading to full system compromise or denial of service.Recommendations
Versions prior to 4.7.18.0.eden should be updated.
As a temporary workaround, restrict access to the
/ajax/php/login.php API endpoint.
Avoid using the passwd parameter in the /ajax/php/login.php API endpoint until the issue is resolved.Exploit
Fix
DoS
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ilevia Eve X1 Server