CVE-2025-34513 CRITICAL

CVE-2025-34513: Ilevia EVE X1 Server 4.7.18.0.eden Unauthenticated Command Injection

Vendor Ilevia Srl.

Product EVE X1 Server

Weakness CWE-78

Published October 16, 2025

Last update May 15, 2026

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain an OS command injection vulnerability in mbus_build_from_csv.php that allows an unauthenticated attacker to execute arbitrary code. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet.

Key dates

02Disclosure timeline

October 16, 2025 CVE published

May 15, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-34513

Related vulnerabilities

CVE-2025-34513: Ilevia EVE X1 Server 4.7.18.0.eden Unauthenticated Command Injection

01Description

02Disclosure timeline

03References

04Related CVE