Vulnerability Description
Ilevia EVE X1 Server version ≤ 4.7.18.0.eden contains an unauthenticated OS command injection vulnerability in the /ajax/php/login.php script. Remote attackers can execute arbitrary system commands by injecting payloads into the 'passwd' HTTP POST parameter, leading to full system compromise or denial of service.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ilevia | Eve X1 Server Firmware | <= 4.7.18.0 |
| Ilevia | Eve X1 Server | - |
Related Weaknesses (CWE)
References
- https://packetstorm.news/files/id/207717/ExploitThird Party Advisory
- https://www.ilevia.com/Product
- https://www.vulncheck.com/advisories/ilevia-eve-x1-server-neuro-code-unauth-codeThird Party Advisory
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5956.phpExploitThird Party Advisory
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5956.phpExploitThird Party Advisory
FAQ
What is CVE-2025-34184?
CVE-2025-34184 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Ilevia EVE X1 Server version ≤ 4.7.18.0.eden contains an unauthenticated OS command injection vulnerability in the /ajax/php/login.php script. Remote attackers can execute arbitrary system commands by...
How severe is CVE-2025-34184?
CVE-2025-34184 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-34184?
Check the references section above for vendor advisories and patch information. Affected products include: Ilevia Eve X1 Server Firmware, Ilevia Eve X1 Server.