← Voltar para CVEs
CVE-2025-34184
CRITICAL9.8
Descricao
Ilevia EVE X1 Server version ≤ 4.7.18.0.eden contains an unauthenticated OS command injection vulnerability in the /ajax/php/login.php script. Remote attackers can execute arbitrary system commands by injecting payloads into the 'passwd' HTTP POST parameter, leading to full system compromise or denial of service.
Detalhes CVE
Pontuacao CVSS v3.19.8
SeveridadeCRITICAL
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado9/16/2025
Ultima modificacao9/25/2025
Fontenvd
Avistamentos honeypot0
Produtos afetados
ilevia:eve_x1_serverilevia:eve_x1_server_firmware
Fraquezas (CWE)
CWE-78
Referencias
https://packetstorm.news/files/id/207717/(disclosure@vulncheck.com)
https://www.ilevia.com/(disclosure@vulncheck.com)
https://www.vulncheck.com/advisories/ilevia-eve-x1-server-neuro-code-unauth-code-injection(disclosure@vulncheck.com)
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5956.php(disclosure@vulncheck.com)
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5956.php(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.