CVE-2025-34184
Published: 16 September 2025
Summary
CVE-2025-34184 is a critical-severity OS Command Injection (CWE-78) vulnerability in Ilevia Eve X1 Server Firmware. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Ilevia EVE X1 Server versions up to and including 4.7.18.0.eden contain an unauthenticated OS command injection vulnerability in the /ajax/php/login.php script. The flaw is tracked as CVE-2025-34184, carries a CVSS 4.0 score of 9.3, and is classified under CWE-78. It stems from improper handling of the passwd HTTP POST parameter, allowing direct execution of operating-system commands without requiring authentication.
Remote, unauthenticated attackers with network access to the server can supply malicious payloads in the passwd parameter to run arbitrary system commands. Successful exploitation grants full system compromise, including the ability to execute code, exfiltrate data, or induce denial of service.
The EPSS score remains low and unchanged at 0.0280, indicating no material increase in observed exploitation interest since disclosure. Public references include technical advisories from Zero Science Lab and VulnCheck along with a proof-of-concept on Packet Storm, but no vendor patch or mitigation guidance is detailed in the available sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-29647
Vulnerability details
Ilevia EVE X1 Server version ≤ 4.7.18.0.eden contains an unauthenticated OS command injection vulnerability in the /ajax/php/login.php script. Remote attackers can execute arbitrary system commands by injecting payloads into the 'passwd' HTTP POST parameter, leading to full system compromise or…
more
denial of service.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated OS command injection in a public-facing web script (/ajax/php/login.php) enables remote exploitation of the application (T1190) and arbitrary Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents OS command injection by requiring validation mechanisms for the unsanitized 'passwd' HTTP POST parameter in login.php.
Mandates timely identification, reporting, and correction of the specific input sanitization flaw enabling command injection.
Boundary protection mechanisms like web application firewalls monitor and block remote unauthenticated payloads targeting the vulnerable login endpoint.