CVE-2025-34513
Published: 16 October 2025
Summary
CVE-2025-34513 is a critical-severity OS Command Injection (CWE-78) vulnerability in Ilevia Eve X1 Server Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates OS command injection by validating and sanitizing inputs to the vulnerable mbus_build_from_csv.php endpoint to block arbitrary command execution.
Enforces boundary protection to monitor and control network access to port 8080, preventing unauthenticated remote exploitation as recommended by the vendor.
Enforces approved access authorizations to the vulnerable unauthenticated endpoint, blocking unauthorized logical access that enables command injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated OS command injection in a network-accessible PHP endpoint (port 8080) enables exploitation of a public-facing application (T1190) for arbitrary Unix shell command execution (T1059.004).
NVD Description
Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain an OS command injection vulnerability in mbus_build_from_csv.php that allows an unauthenticated attacker to execute arbitrary code. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080…
more
to the internet.
Deeper analysisAI
CVE-2025-34513 is an OS command injection vulnerability (CWE-78) affecting Ilevia EVE X1 Server firmware versions up to and including 4.7.18.0.eden. The flaw resides in the mbus_build_from_csv.php component, enabling an unauthenticated attacker to execute arbitrary operating system commands. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and potential for complete system compromise.
An unauthenticated remote attacker can exploit this vulnerability over the network by sending a specially crafted request to the vulnerable endpoint, achieving arbitrary code execution on the underlying server. Successful exploitation grants high confidentiality, integrity, and availability impacts, potentially allowing full control over the affected device, including data exfiltration, persistence, or further lateral movement within the target environment.
Advisories from VulnCheck and Zero Science Labs detail the issue, while Ilevia has explicitly declined to provide a patch or further servicing. The vendor recommends that customers avoid exposing port 8080 to the internet as the primary mitigation, emphasizing network segmentation and access controls to prevent exploitation.
Details
- CWE(s)