Authenticated OS Command Injection in Ilevia EVE X1 Server Firmware
CVE-2025-34514

8.7HIGH

Key Information:

Vendor: Ilevia Srl.
Status: Eve X1 Server
Vendor: CVE Published:; 16 October 2025

🔔 Create Ilevia Srl. Vulnerability Alert

What is CVE-2025-34514?

The Ilevia EVE X1 Server firmware versions up to 4.7.18.0.eden has a vulnerability that permits authenticated attackers to inject operating system commands through multiple PHP scripts. These scripts utilize the exec() function, thus allowing attackers to execute arbitrary commands within the context of the server. Ilevia has advised their users to avoid exposing port 8080 to the internet to mitigate potential exploitation of this vulnerability.

Affected Version(s)

EVE X1 Server * <= 4.7.18.0.eden

References

https://www.ilevia.com/

product

https://www.vulncheck.com/advisories/ilevia-eve-x1-server...

third-party-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 16, 2025
Vulnerability Reserved
Apr 15, 2025

Credit

Gjoko Krstic of Zero Science Lab

JSON