Cyber Posture

CVE-2025-60738

CriticalPublic PoCRCE

Published: 20 November 2025

Published
20 November 2025
Modified
15 January 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0090 75.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-60738 is a critical-severity OS Command Injection (CWE-78) vulnerability in Ilevia Eve X1 Server Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses the lack of secure filtering on IP parameters in ping.php by requiring validation of inputs to prevent command injection.

SI-2 Flaw Remediation good match
prevent

Ensures timely remediation of the command injection flaw through firmware updates for affected Ilevia EVE X1 Server versions.

SI-9 Information Input Restrictions partial match
prevent

Restricts IP parameters to valid formats and quantities, mitigating injection attempts by blocking malformed inputs to ping.php.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability is a command injection in the public-facing ping.php web component, enabling unauthenticated remote arbitrary code execution, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

An issue in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before Logic Version v6.00 - 2025_07_21 and before allows a remote attacker to execute arbitrary code via the ping.php component does not perform secure filtering on IP parameters

Deeper analysisAI

CVE-2025-60738 is a critical command injection vulnerability (CWE-78) affecting Ilevia EVE X1 Server Firmware versions v4.7.18.0.eden and earlier, as well as Logic Versions prior to v6.00-2025_07_21. The flaw exists in the ping.php component, which does not perform secure filtering on IP parameters, allowing remote attackers to execute arbitrary code. Published on 2025-11-20, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A remote attacker can exploit this vulnerability over the network without authentication, privileges, or user interaction. By crafting malicious IP parameters in requests to ping.php, the attacker achieves arbitrary code execution on the server, resulting in high-impact confidentiality, integrity, and availability violations, such as full system compromise.

The primary reference is a GitHub repository at https://github.com/iSee857/ilevia-EVE-X1-Server, which provides details on the vulnerability but does not specify official patches or mitigation steps in the available information.

Details

CWE(s)
CWE-78

Affected Products

ilevia
eve x1 server firmware
4.7.18.0

CVEs Like This One

CVE-2025-34514Same product: Ilevia Eve X1 Server
CVE-2025-34513Same product: Ilevia Eve X1 Server
CVE-2025-34184Same product: Ilevia Eve X1 Server
CVE-2025-34186Same product: Ilevia Eve X1 Server
CVE-2025-60739Same product: Ilevia Eve X1 Server
CVE-2025-34515Same product: Ilevia Eve X1 Server
CVE-2025-34187Same product: Ilevia Eve X1 Server
CVE-2025-34516Same product: Ilevia Eve X1 Server
CVE-2026-23702Shared CWE-78
CVE-2024-50603Shared CWE-78

References