← back
CVE-2025-34513

Ilevia EVE X1 Server 4.7.18.0.eden Unauthenticated Command Injection

CVSS 9.3 CRITICALEPSS 7.7%CWE-78
Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain an OS command injection vulnerability in mbus_build_from_csv.php that allows an unauthenticated attacker to execute arbitrary code. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
Ilevia Srl. · EVE X1 Server
public PoCs found1
cve_referencewww.zeroscience.mk/en/vulnerabilities/ZSL-2025-5962.phpunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.ilevia.com/https://www.vulncheck.com/advisories/ilevia-eve-x1-server-unauth-command-injectionhttps://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5962.php