Cyber Resilience

CVE-2025-34186

CriticalPublic PoCRCEUpdated

Published: 16 September 2025

Published
16 September 2025
Modified
26 May 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0065 71.3th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34186 is a critical-severity OS Command Injection (CWE-78) vulnerability in Ilevia Eve X1 Server Firmware. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Ilevia EVE X1/X5 Server versions up to and including 4.7.18.0.eden contain an authentication bypass vulnerability stemming from unsanitized user input passed directly to a system() call. The affected binary treats any non-zero exit status from that call as successful authentication, enabling command injection via CWE-78 and improper authentication handling under CWE-287. The flaw is remotely reachable without credentials or user interaction.

Unauthenticated attackers can supply crafted input over the network to bypass the login mechanism entirely and obtain full administrative access to the server. The CVSS 9.3 rating reflects the combination of network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.

EPSS for the CVE rose from a low baseline to a peak of 0.0167 on 2026-02-24 before receding to the current value of 0.0065, indicating a measurable increase in exploitation interest after public disclosure. Public references, including detailed technical write-ups from Zero Science and VulnCheck, provide further context on the issue.

EU & UK References

Vulnerability details

Ilevia EVE X1/X5 Server version ≤ 4.7.18.0.eden contains a vulnerability in its authentication mechanism. Unsanitized input is passed to a system() call for authentication, allowing attackers to inject special characters and manipulate command parsing. Because the binary interprets non-zero exit…

more

codes from system() as successful authentication, remote attackers can bypass authentication and gain full access to the system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Direct unauthenticated OS command injection (CWE-78) in a remotely exposed authentication endpoint enables initial access via public-facing application exploitation (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-34514Same product: Ilevia Eve X1 Server
CVE-2025-34184Same product: Ilevia Eve X1 Server
CVE-2025-34513Same product: Ilevia Eve X1 Server
CVE-2025-60738Same product: Ilevia Eve X1 Server
CVE-2025-34187Same product: Ilevia Eve X1 Server
CVE-2025-34515Same product: Ilevia Eve X1 Server
CVE-2025-60739Same product: Ilevia Eve X1 Server
CVE-2025-34516Same product: Ilevia Eve X1 Server
CVE-2024-57016Shared CWE-78
CVE-2026-23592Shared CWE-78

Affected Assets

ilevia
eve x1 server firmware
≤ 4.7.18.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all input before it is passed to system() or other external calls, blocking the command-injection vector.

prevent

Enforces that authentication decisions must be based on correct, reliable results rather than any non-zero exit code from an injected command.

prevent

Requires the system to perform identification and authentication using mechanisms that cannot be trivially bypassed by malformed input or exit-code manipulation.

References