Ilevia EVE X1/X5 Server version ≤ 4.7.18.0.eden contains a misconfiguration in the sudoers file that allows passwordless execution of certain Bash scripts. If these scripts are writable by web-facing users or accessible via command injection, attackers can replace them with malicious payloads. Execution with sudo grants full root access, resulting in remote privilege escalation and potential system compromise.
References
| Link | Resource |
|---|---|
| https://packetstorm.news/files/id/209226/ | Exploit Third Party Advisory Permissions Required |
| https://www.ilevia.com/ | Product |
| https://www.vulncheck.com/advisories/ilevia-eve-x1-x5-server-reverse-rootshell | Third Party Advisory |
| https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5959.php | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
| AND |
|
History
25 Sep 2025, 14:51
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:h:ilevia:eve_x1_server:-:*:*:*:*:*:*:* cpe:2.3:o:ilevia:eve_x1_server_firmware:*:*:*:*:*:*:*:* |
|
| References | () https://packetstorm.news/files/id/209226/ - Exploit, Third Party Advisory, Permissions Required | |
| References | () https://www.ilevia.com/ - Product | |
| References | () https://www.vulncheck.com/advisories/ilevia-eve-x1-x5-server-reverse-rootshell - Third Party Advisory | |
| References | () https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5959.php - Exploit, Third Party Advisory | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
| First Time |
Ilevia
Ilevia eve X1 Server Ilevia eve X1 Server Firmware |
16 Sep 2025, 20:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-09-16 20:15
Updated : 2025-09-25 14:51
NVD link : CVE-2025-34187
Mitre link : CVE-2025-34187
CVE.ORG link : CVE-2025-34187
JSON object : View
Products Affected
ilevia
- eve_x1_server_firmware
- eve_x1_server