CVE-2025-34186

Summary

Ilevia EVE X1/X5 Server version ≤ 4.7.18.0.eden contains a vulnerability in its authentication mechanism. Unsanitized input is passed to a system() call for authentication, allowing attackers to inject special characters and manipulate command parsing. Because the binary interprets non-zero exit codes from system() as successful authentication, remote attackers can bypass authentication and gain full access to the system.

Affected Software

VendorProductVersion RangeStatus
Ilevia Srl.EVE X1/X5 Server0 <= 4.7.18.0.eden (Logic version: 6.00)affected

Weaknesses

  • CWE-287: CWE-287 Improper Authentication
  • CWE-78: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

References