Cyber Resilience

CVE-2025-4009

CriticalRCE

Published: 28 May 2025

Published
28 May 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:X/V:C/RE:X/U:X
EPSS Score 0.0808 92.3th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-4009 is a critical-severity Command Injection (CWE-77) vulnerability in Onekey (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, ranked in the top 7.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The Evertz SDVN 3080ipx-10G High Bandwidth Ethernet Switching Fabric for Video Applications contains a command injection vulnerability (CVE-2025-4009) in the feature-transfer-import.php endpoint of its PHP-based web management interface on port 80, which was built using the webEASY SDK. The flaw is tracked under CWE-77 and carries a CVSS 4.0 score of 9.3.

Remote unauthenticated attackers can exploit the injection to execute arbitrary commands with root privileges on the device. Successful exploitation enables disruption or modification of media streams, alteration of closed captions, and other operational impacts on broadcast infrastructure.

The sole referenced advisory at https://www.onekey.com/resource/security-advisory-remote-code-execution-on-evertz-svdn-cve-2025-4009 does not detail patches or mitigations in the supplied information. EPSS for the CVE rose from lower values to a peak of 0.1345 on 2026-04-16 before receding to the current 0.0808, indicating post-disclosure exploitation interest.

EU & UK References

Vulnerability details

The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. This device exposes a web management interface on port 80. This web management interface can be used by administrators to control product features, setup network switching,…

more

and register license among other features. The application has been developed in PHP with the webEASY SDK, also named ‘ewb’ by Evertz. This web interface has two endpoints that are vulnerable to arbitrary command injection (CVE-2025-4009, CVE-2025-10364) and the authentication mechanism has a flaw leading to authentication bypass (CVE-2025-10365). CVE-2025-4009 covers the command injection in feature-transfer-import.php CVE-2025-10364 covers the command injection in feature-transfer-export.php Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices. This level of access could lead to serious business impact such as the interruption of media streaming, modification of media being streamed, alteration of closed captions being generated, among others.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Onekey
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References