CVE-2025-34184

Ilevia EVE X1 Server 4.7.18.0.eden Neuro-Core Unauthenticated Code Injection

CVSS 9.3 CRITICALEPSS 2.8%CWE-78

Ilevia EVE X1 Server version ≤ 4.7.18.0.eden contains an unauthenticated OS command injection vulnerability in the /ajax/php/login.php script. Remote attackers can execute arbitrary system commands by injecting payloads into the 'passwd' HTTP POST parameter, leading to full system compromise or denial of service.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

Ilevia Srl. · EVE X1 Server

public PoCs found — 2

cve_referencepacketstorm.news/files/id/207717/unverified cve_referencewww.zeroscience.mk/en/vulnerabilities/ZSL-2025-5956.phpunverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://packetstorm.news/files/id/207717/https://www.ilevia.com/https://www.vulncheck.com/advisories/ilevia-eve-x1-server-neuro-code-unauth-code-injection https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5956.php