CVE-2025-34512
published 2025-10-16CVE-2025-34512: Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain a reflected cross-site scripting (XSS) vulnerability in index.php that allows an unauthenticated…
PriorityP429medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.37%
29.3th percentile
Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain a reflected cross-site scripting (XSS) vulnerability in index.php that allows an unauthenticated attacker to execute arbitrary script in the victim's browser. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ilevia | eve_x1_server_firmware | <= 4.7.18.0 | — |
| ilevia_srl | eve_x1_server | <= 4.7.18.0.eden | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv4.05.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Ilevia EVE X1 Server up to 4.7.18.0 index.php cross site scripting
vuldb·2026-05-27·CVSS 5.1
CVE-2025-34512 [MEDIUM] Ilevia EVE X1 Server up to 4.7.18.0 index.php cross site scripting
A vulnerability was found in Ilevia EVE X1 Server up to 4.7.18.0. It has been rated as problematic. This affects an unknown function of the file index.php. The manipulation leads to cross site scripting.
This vulnerability is listed as CVE-2025-34512. The attack may be initiated remotely. There is no available exploit.
GHSA
GHSA-7q72-f6m2-x86p: Ilevia EVE X1 Server firmware versions ≤ 4
ghsa_unreviewed·2025-10-16
CVE-2025-34512 [MEDIUM] CWE-79 GHSA-7q72-f6m2-x86p: Ilevia EVE X1 Server firmware versions ≤ 4
Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain a reflected cross-site scripting (XSS) vulnerability in index.php that allows an unauthenticated attacker to execute arbitrary code. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet.
CISA ICS
Ilevia EVE X1 Server
cisa_ics·2026-02-05·CVSS 7.5
[HIGH] Ilevia EVE X1 Server
ICS Advisory
##
Ilevia EVE X1 Server
Release DateFebruary 05, 2026
Alert CodeICSA-26-036-04
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary shell commands and the disclosure of sensitive system information.
The following versions of Ilevia EVE X1 Server are affected:
- EVE X1 <=4.7.18.0 (CVE-2025-34185, CVE-2025-34184, CVE-2025-34183, CVE-2025-34186, CVE-2025-34187, CVE-2025-34517, CVE-2025-34518, CVE-2025-34512, CVE-2025-34513)
CVSS
Vendor
Equipment
Vulnerabilities
| v3 9.8
| Ilevia
| Ilevia EVE X1 Server
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutraliz
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-10-16
Published