CVE-2025-4009
Published: 28 May 2025
Summary
CVE-2025-4009 is a critical-severity Command Injection (CWE-77) vulnerability in Onekey (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, ranked in the top 7.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The Evertz SDVN 3080ipx-10G High Bandwidth Ethernet Switching Fabric for Video Applications contains a command injection vulnerability (CVE-2025-4009) in the feature-transfer-import.php endpoint of its PHP-based web management interface on port 80, which was built using the webEASY SDK. The flaw is tracked under CWE-77 and carries a CVSS 4.0 score of 9.3.
Remote unauthenticated attackers can exploit the injection to execute arbitrary commands with root privileges on the device. Successful exploitation enables disruption or modification of media streams, alteration of closed captions, and other operational impacts on broadcast infrastructure.
The sole referenced advisory at https://www.onekey.com/resource/security-advisory-remote-code-execution-on-evertz-svdn-cve-2025-4009 does not detail patches or mitigations in the supplied information. EPSS for the CVE rose from lower values to a peak of 0.1345 on 2026-04-16 before receding to the current 0.0808, indicating post-disclosure exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-16284
Vulnerability details
The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. This device exposes a web management interface on port 80. This web management interface can be used by administrators to control product features, setup network switching,…
more
and register license among other features. The application has been developed in PHP with the webEASY SDK, also named ‘ewb’ by Evertz. This web interface has two endpoints that are vulnerable to arbitrary command injection (CVE-2025-4009, CVE-2025-10364) and the authentication mechanism has a flaw leading to authentication bypass (CVE-2025-10365). CVE-2025-4009 covers the command injection in feature-transfer-import.php CVE-2025-10364 covers the command injection in feature-transfer-export.php Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices. This level of access could lead to serious business impact such as the interruption of media streaming, modification of media being streamed, alteration of closed captions being generated, among others.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.