Cyber Resilience

CVE-2025-34184

CriticalPublic PoCRCE

Published: 16 September 2025

Published
16 September 2025
Modified
25 September 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0280 86.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34184 is a critical-severity OS Command Injection (CWE-78) vulnerability in Ilevia Eve X1 Server Firmware. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Ilevia EVE X1 Server versions up to and including 4.7.18.0.eden contain an unauthenticated OS command injection vulnerability in the /ajax/php/login.php script. The flaw is tracked as CVE-2025-34184, carries a CVSS 4.0 score of 9.3, and is classified under CWE-78. It stems from improper handling of the passwd HTTP POST parameter, allowing direct execution of operating-system commands without requiring authentication.

Remote, unauthenticated attackers with network access to the server can supply malicious payloads in the passwd parameter to run arbitrary system commands. Successful exploitation grants full system compromise, including the ability to execute code, exfiltrate data, or induce denial of service.

The EPSS score remains low and unchanged at 0.0280, indicating no material increase in observed exploitation interest since disclosure. Public references include technical advisories from Zero Science Lab and VulnCheck along with a proof-of-concept on Packet Storm, but no vendor patch or mitigation guidance is detailed in the available sources.

EU & UK References

Vulnerability details

Ilevia EVE X1 Server version ≤ 4.7.18.0.eden contains an unauthenticated OS command injection vulnerability in the /ajax/php/login.php script. Remote attackers can execute arbitrary system commands by injecting payloads into the 'passwd' HTTP POST parameter, leading to full system compromise or…

more

denial of service.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Direct unauthenticated OS command injection in a public-facing web script (/ajax/php/login.php) enables remote exploitation of the application (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-34514Same product: Ilevia Eve X1 Server
CVE-2025-34513Same product: Ilevia Eve X1 Server
CVE-2025-34186Same product: Ilevia Eve X1 Server
CVE-2025-60738Same product: Ilevia Eve X1 Server
CVE-2025-34187Same product: Ilevia Eve X1 Server
CVE-2025-34516Same product: Ilevia Eve X1 Server
CVE-2025-34515Same product: Ilevia Eve X1 Server
CVE-2025-60739Same product: Ilevia Eve X1 Server
CVE-2026-42454Shared CWE-78
CVE-2026-34796Shared CWE-78

Affected Assets

ilevia
eve x1 server firmware
≤ 4.7.18.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents OS command injection by requiring validation mechanisms for the unsanitized 'passwd' HTTP POST parameter in login.php.

prevent

Mandates timely identification, reporting, and correction of the specific input sanitization flaw enabling command injection.

preventdetect

Boundary protection mechanisms like web application firewalls monitor and block remote unauthenticated payloads targeting the vulnerable login endpoint.

References