CVE-2025-10364
published 2025-09-12CVE-2025-10364: The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. This device exposes a web management interface on port 80…
PriorityP270critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSNAUYRXVCREXUX
EPSS
6.33%
92.8th percentile
The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. This device exposes a web management interface on port 80. This web management interface can be used by administrators to control product
features, setup network switching, and register license among other features. The application has been developed in PHP with the webEASY SDK, also named ‘ewb’ by Evertz.
This web interface has two endpoints that are vulnerable to arbitrary command injection (CVE-2025-4009, CVE-2025-10364) and the authentication mechanism has a flaw leading to authentication bypass (CVE-2025-10365).
CVE-2025-4009 covers the command injection in feature-transfer-import.php
CVE-2025-10364 covers the command injection in feature-transfer-export.php
Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices.
This level of access could lead to serious business impact such as the interruption of media streaming, modification of media being streamed, alteration of closed captions being generated, among others.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| evertz | 3080ipx-10g | — | — |
| evertz | 5782xps-app-4e | — | — |
| evertz | 7890ixg | — | — |
| evertz | cc_access_server | — | — |
| evertz | cvip | — | — |
| evertz | mvip-ii | — | — |
CVSS provenance
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:X/V:C/RE:X/U:X
vulncheck9.3CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g37v-5m8f-34c3: The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application
ghsa_unreviewed·2025-09-12·CVSS 9.3
CVE-2025-10365 [CRITICAL] CWE-287 GHSA-g37v-5m8f-34c3: The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application
The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. This device exposes a web management interface on port 80. This web management interface can be used by administrators to control product
features, setup network switching, and register license among other features. The application has been developed in PHP with the webEASY SDK, also named ‘ewb’ by Evertz.
This web interface has two endpoints that are vulnerable to arbitrary command injection (CVE-2025-4009, CVE-2025-10364) and the authentication mechanism has a flaw leading to authentication bypass (CVE-2025-10365).
Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices.
This level of access could lead to serious business
GHSA
GHSA-g4mx-9xwc-mmmw: The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application
ghsa_unreviewed·2025-09-12·CVSS 9.3
CVE-2025-10364 [CRITICAL] CWE-77 GHSA-g4mx-9xwc-mmmw: The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application
The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. This device exposes a web management interface on port 80. This web management interface can be used by administrators to control product
features, setup network switching, and register license among other features. The application has been developed in PHP with the webEASY SDK, also named ‘ewb’ by Evertz.
This web interface has two endpoints that are vulnerable to arbitrary command injection (CVE-2025-4009, CVE-2025-10364) and the authentication mechanism has a flaw leading to authentication bypass (CVE-2025-10365).
CVE-2025-4009 covers the command injection in feature-transfer-import.php
CVE-2025-10364 covers the command injection in feature-transfer-export.php
Remote unauthenticated attac
VulnCheck
Improper Neutralization of Special Elements used in a Command ('Command Injection')
vulncheck·2025·CVSS 9.3
CVE-2025-4009 [CRITICAL] Improper Neutralization of Special Elements used in a Command ('Command Injection')
Improper Neutralization of Special Elements used in a Command ('Command Injection')
The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. This device exposes a web management interface on port 80. This web management interface can be used by administrators to control product
features, setup network switching, and register license among other features. The application has been developed in PHP with the webEASY SDK, also named ‘ewb’ by Evertz.
This web interface has two endpoints that are vulnerable to arbitrary command injection (CVE-2025-4009, CVE-2025-10364) and the authentication mechanism has a flaw leading to authentication bypass (CVE-2025-10365).
CVE-2025-4009 covers the command injection in feature-transfer-import.php
CVE-2025-10364 cove
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-31215 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash
bugzilla·2025-05-15·CVSS 6.5
CVE-2025-31215 [MEDIUM] CVE-2025-31215 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash
CVE-2025-31215 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash
The issue was addressed with improved checks. This issue is fixed in watchOS 11.5, tvOS 18.5, iPadOS 17.7.7, iOS 18.5 and iPadOS 18.5, macOS Sequoia 15.5, visionOS 2.5, Safari 18.5. Processing maliciously crafted web content may lead to an unexpected process crash.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7 Extended Lifecycle Support
Via RHSA-2025:10364 https://access.redhat.com/errata/RHSA-2025:10364
Bugzilla
CVE-2023-42875 webkitgtk: Processing web content may lead to arbitrary code execution
bugzilla·2025-05-15·CVSS 7.3
CVE-2023-42875 [HIGH] CVE-2023-42875 webkitgtk: Processing web content may lead to arbitrary code execution
CVE-2023-42875 webkitgtk: Processing web content may lead to arbitrary code execution
Processing web content may lead to arbitrary code execution. This issue is fixed in iOS 17 and iPadOS 17, macOS Sonoma 14, watchOS 10, tvOS 17, Safari 17. The issue was addressed with improved memory handling.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7 Extended Lifecycle Support
Via RHSA-2025:10364 https://access.redhat.com/errata/RHSA-2025:10364
Bugzilla
CVE-2025-31204 webkitgtk: Processing maliciously crafted web content may lead to memory corruption
bugzilla·2025-05-15·CVSS 8.8
CVE-2025-31204 [HIGH] CVE-2025-31204 webkitgtk: Processing maliciously crafted web content may lead to memory corruption
CVE-2025-31204 webkitgtk: Processing maliciously crafted web content may lead to memory corruption
The issue was addressed with improved memory handling. This issue is fixed in watchOS 11.5, tvOS 18.5, iOS 18.5 and iPadOS 18.5, macOS Sequoia 15.5, visionOS 2.5, Safari 18.5. Processing maliciously crafted web content may lead to memory corruption.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7 Extended Lifecycle Support
Via RHSA-2025:10364 https://access.redhat.com/errata/RHSA-2025:10364
Bugzilla
CVE-2023-42970 webkitgtk: Processing web content may lead to arbitrary code execution
bugzilla·2025-05-15·CVSS 8.8
CVE-2023-42970 [HIGH] CVE-2023-42970 webkitgtk: Processing web content may lead to arbitrary code execution
CVE-2023-42970 webkitgtk: Processing web content may lead to arbitrary code execution
A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 17 and iPadOS 17, macOS Sonoma 14, watchOS 10, tvOS 17, Safari 17. Processing web content may lead to arbitrary code execution.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7 Extended Lifecycle Support
Via RHSA-2025:10364 https://access.redhat.com/errata/RHSA-2025:10364
Bugzilla
CVE-2025-24223 webkitgtk: Processing maliciously crafted web content may lead to memory corruption
bugzilla·2025-05-15·CVSS 8.0
CVE-2025-24223 [HIGH] CVE-2025-24223 webkitgtk: Processing maliciously crafted web content may lead to memory corruption
CVE-2025-24223 webkitgtk: Processing maliciously crafted web content may lead to memory corruption
The issue was addressed with improved memory handling. This issue is fixed in watchOS 11.5, tvOS 18.5, iOS 18.5 and iPadOS 18.5, macOS Sequoia 15.5, visionOS 2.5, Safari 18.5. Processing maliciously crafted web content may lead to memory corruption.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7 Extended Lifecycle Support
Via RHSA-2025:10364 https://access.redhat.com/errata/RHSA-2025:10364
Bugzilla
CVE-2025-31206 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash
bugzilla·2025-05-15·CVSS 4.3
CVE-2025-31206 [MEDIUM] CVE-2025-31206 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash
CVE-2025-31206 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash
A type confusion issue was addressed with improved state handling. This issue is fixed in watchOS 11.5, tvOS 18.5, iPadOS 17.7.7, iOS 18.5 and iPadOS 18.5, macOS Sequoia 15.5, visionOS 2.5, Safari 18.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7 Extended Lifecycle Support
Via RHSA-2025:10364 https://access.redhat.com/errata/RHSA-2025:10364
Bugzilla
CVE-2025-24264 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash
bugzilla·2025-04-07·CVSS 9.8
CVE-2025-24264 [CRITICAL] CVE-2025-24264 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash
CVE-2025-24264 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash
The issue was addressed with improved memory handling. This issue is fixed in visionOS 2.4, tvOS 18.4, iPadOS 17.7.6, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, Safari 18.4. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7 Extended Lifecycle Support
Via RHSA-2025:10364 https://access.redhat.com/errata/RHSA-2025:10364
Bugzilla
CVE-2025-24213 webkitgtk: A type confusion issue could lead to memory corruption
bugzilla·2025-04-07·CVSS 7.8
CVE-2025-24213 [HIGH] CVE-2025-24213 webkitgtk: A type confusion issue could lead to memory corruption
CVE-2025-24213 webkitgtk: A type confusion issue could lead to memory corruption
This issue was addressed with improved handling of floats. This issue is fixed in tvOS 18.4, Safari 18.4, iPadOS 17.7.6, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. A type confusion issue could lead to memory corruption.
Discussion:
This CVE is fixed only on ARM architectures by https://github.com/WebKit/WebKit/commit/4c65775f049beec4fe0a50c1243dcfa634bf33e1. x86_64 is not vulnerable. x86 is not vulnerable when the SSE2 instruction set is enabled. Other architectures remain vulnerable. The fix for this CVE causes the build to fail on 32-bit ARM architectures.
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7 Extended Lifecycle Support
Via RHSA-2025:10364 https://a
Bugzilla
CVE-2024-54658 webkitgtk: Processing web content may lead to a denial-of-service
bugzilla·2025-02-11·CVSS 6.5
CVE-2024-54658 [MEDIUM] CVE-2024-54658 webkitgtk: Processing web content may lead to a denial-of-service
CVE-2024-54658 webkitgtk: Processing web content may lead to a denial-of-service
The issue was addressed with improved memory handling. This issue is fixed in iOS 17.4 and iPadOS 17.4, Safari 17.4, tvOS 17.4, watchOS 10.4, visionOS 1.1, macOS Sonoma 14.4. Processing web content may lead to a denial-of-service.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7 Extended Lifecycle Support
Via RHSA-2025:10364 https://access.redhat.com/errata/RHSA-2025:10364
Bugzilla
CVE-2025-24143 webkitgtk: A maliciously crafted webpage may be able to fingerprint the user
bugzilla·2025-02-10·CVSS 6.5
CVE-2025-24143 [MEDIUM] CVE-2025-24143 webkitgtk: A maliciously crafted webpage may be able to fingerprint the user
CVE-2025-24143 webkitgtk: A maliciously crafted webpage may be able to fingerprint the user
The issue was addressed with improved access restrictions to the file system. This issue is fixed in macOS Sequoia 15.3, Safari 18.3, iOS 18.3 and iPadOS 18.3, visionOS 2.3. A maliciously crafted webpage may be able to fingerprint the user.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2025:2035 https://access.redhat.com/errata/RHSA-2025:2035
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2025:2034 https://access.redhat.com/errata/RHSA-2025:2034
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7 Extended Lifecycle Support
Via RHSA-2025:10364 h
Bugzilla
CVE-2025-24150 webkitgtk: Copying a URL from Web Inspector may lead to command injection
bugzilla·2025-02-10·CVSS 8.8
CVE-2025-24150 [HIGH] CVE-2025-24150 webkitgtk: Copying a URL from Web Inspector may lead to command injection
CVE-2025-24150 webkitgtk: Copying a URL from Web Inspector may lead to command injection
A privacy issue was addressed with improved handling of files. This issue is fixed in macOS Sequoia 15.3, Safari 18.3, iOS 18.3 and iPadOS 18.3. Copying a URL from Web Inspector may lead to command injection.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2025:2035 https://access.redhat.com/errata/RHSA-2025:2035
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2025:2034 https://access.redhat.com/errata/RHSA-2025:2034
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7 Extended Lifecycle Support
Via RHSA-2025:10364 https://access.redhat.com/errata/RHS
Bugzilla
CVE-2025-24158 webkitgtk: Processing web content may lead to a denial-of-service
bugzilla·2025-02-10·CVSS 6.5
CVE-2025-24158 [MEDIUM] CVE-2025-24158 webkitgtk: Processing web content may lead to a denial-of-service
CVE-2025-24158 webkitgtk: Processing web content may lead to a denial-of-service
The issue was addressed with improved memory handling. This issue is fixed in visionOS 2.3, Safari 18.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3. Processing web content may lead to a denial-of-service.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2025:2035 https://access.redhat.com/errata/RHSA-2025:2035
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2025:2034 https://access.redhat.com/errata/RHSA-2025:2034
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7 Extended Lifecycle Support
Via RHSA-2025:10364 https://access.redhat
Bugzilla
CVE-2024-54534 webkit: Processing maliciously crafted web content may lead to memory corruption
bugzilla·2024-12-23·CVSS 9.8
CVE-2024-54534 [CRITICAL] CVE-2024-54534 webkit: Processing maliciously crafted web content may lead to memory corruption
CVE-2024-54534 webkit: Processing maliciously crafted web content may lead to memory corruption
The issue was addressed with improved memory handling. This issue is fixed in watchOS 11.2, visionOS 2.2, tvOS 18.2, macOS Sequoia 15.2, Safari 18.2, iOS 18.2 and iPadOS 18.2. Processing maliciously crafted web content may lead to memory corruption.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2024:9553 https://access.redhat.com/errata/RHSA-2024:9553
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7 Extended Lifecycle Support
Via RHSA-2025:10364 https://access.redhat.com/errata/RHSA-2025:10364
Bugzilla
CVE-2024-44308 webkitgtk: javascriptcore: processing maliciously crafted web content may lead to arbitrary code execution
bugzilla·2024-11-21·CVSS 8.8
CVE-2024-44308 [HIGH] CVE-2024-44308 webkitgtk: javascriptcore: processing maliciously crafted web content may lead to arbitrary code execution
CVE-2024-44308 webkitgtk: javascriptcore: processing maliciously crafted web content may lead to arbitrary code execution
A vulnerability was discovered in WebKitGTK's JIT compiler.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7 Extended Lifecycle Support
Via RHSA-2025:10364 https://access.redhat.com/errata/RHSA-2025:10364
Bugzilla
CVE-2020-9850 webkitgtk: Logic issue may lead to arbitrary code execution
bugzilla·2020-09-16·CVSS 9.8
CVE-2020-9850 [CRITICAL] CVE-2020-9850 webkitgtk: Logic issue may lead to arbitrary code execution
CVE-2020-9850 webkitgtk: Logic issue may lead to arbitrary code execution
A logic issue was in webkitgtk. A remote attacker may be able to cause arbitrary code execution. Versions affected: WebKitGTK before 2.28.3 and WPE WebKit before 2.28.3.
Discussion:
External References:
https://webkitgtk.org/security/WSA-2020-0006.html
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2020:4451 https://access.redhat.com/errata/RHSA-2020:4451
---
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2020-9850
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7 Extended Lifecycle Support
Via RHSA-2025:10364 https://a
2025-09-12
Published