CVE-2025-34514 HIGH

CVE-2025-34514: Ilevia EVE X1 Server 4.7.18.0.eden Authenticated Command Injection

Vendor Ilevia Srl.
Product EVE X1 Server
Weakness CWE-78
Published October 16, 2025
Last update May 15, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain authenticated OS command injection vulnerabilities in multiple web-accessible PHP scripts that call exec() and allow an authenticated attacker to execute arbitrary commands. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet.

Key dates

02Disclosure timeline

October 16, 2025 CVE published
May 15, 2026 Record updated