Ilevia EVE X1/X5 Server version ≤ 4.7.18.0.eden contains a vulnerability in its authentication mechanism. Unsanitized input is passed to a system() call for authentication, allowing attackers to inject special characters and manipulate command parsing. Due to the binary's interpretation of non-zero exit codes as successful authentication, remote attackers can bypass authentication and gain full access to the system.
References
| Link | Resource |
|---|---|
| https://packetstorm.news/files/id/208871/ | Exploit Third Party Advisory |
| https://www.ilevia.com/ | Product |
| https://www.vulncheck.com/advisories/ilevia-eve-x1-x5-server-auth-bypass | Third Party Advisory |
| https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5958.php | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
| AND |
|
History
24 Sep 2025, 16:22
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://packetstorm.news/files/id/208871/ - Exploit, Third Party Advisory | |
| References | () https://www.ilevia.com/ - Product | |
| References | () https://www.vulncheck.com/advisories/ilevia-eve-x1-x5-server-auth-bypass - Third Party Advisory | |
| References | () https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5958.php - Exploit, Third Party Advisory | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
| CPE | cpe:2.3:o:ilevia:eve_x1_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:ilevia:eve_x1:-:*:*:*:*:*:*:* |
|
| First Time |
Ilevia eve X1
Ilevia Ilevia eve X1 Firmware |
16 Sep 2025, 20:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-09-16 20:15
Updated : 2025-09-24 16:22
NVD link : CVE-2025-34186
Mitre link : CVE-2025-34186
CVE.ORG link : CVE-2025-34186
JSON object : View
Products Affected
ilevia
- eve_x1_firmware
- eve_x1