CVE-2025-34513
published 2025-10-16CVE-2025-34513: Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain an OS command injection vulnerability in mbus_build_from_csv.php that allows an unauthenticated…
PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
7.68%
93.8th percentile
Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain an OS command injection vulnerability in mbus_build_from_csv.php that allows an unauthenticated attacker to execute arbitrary code. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ilevia | eve_x1_server_firmware | <= 4.7.18.0 | — |
| ilevia_srl | eve_x1_server | <= 4.7.18.0.eden | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ilevia mbus_build_from_csv.php Multiple Parameters Command Injection Attempt (CVE-2025-34513)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:33; content:"/ajax/php/mbus_build_from_csv.php"; fast_pattern; http.request_body; pcre:"/mbus_(?:file|csv)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,www.zeroscience.mk/codes/ilevia_cmdinj.txt; reference:cve,2025-34513; classtype:attempted-admin; sid:2065361; rev:1;)
- →Exploit requests use HTTP POST method targeting the exact URI path /ajax/php/mbus_build_from_csv.php with a fixed URI length of 33 bytes.
- →Injection payloads are carried in the POST request body within the `mbus_file` or `mbus_csv` parameters, containing shell metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24) — both raw and URL-encoded forms must be matched.
- →The vulnerability is unauthenticated — no session or credential checks are required before exploitation, making perimeter and internal network monitoring equally important.
- →Traffic is expected in plaintext (not TLS); monitor HTTP on port 8080 specifically for this device.
- →MITRE mapping: Initial Access (TA0001) via Exploit Public-Facing Application (T1190).
- ·The vendor (Ilevia) has declined to patch this vulnerability; no fix is available. The only vendor-recommended mitigation is network-level blocking of port 8080. ↗
- ·All firmware versions up to and including 4.7.18.0.eden are affected; there is no patched firmware version to upgrade to. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Ilevia EVE X1 Server
cisa_ics·2026-02-05·CVSS 7.5
[HIGH] Ilevia EVE X1 Server
ICS Advisory
##
Ilevia EVE X1 Server
Release DateFebruary 05, 2026
Alert CodeICSA-26-036-04
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary shell commands and the disclosure of sensitive system information.
The following versions of Ilevia EVE X1 Server are affected:
- EVE X1 <=4.7.18.0 (CVE-2025-34185, CVE-2025-34184, CVE-2025-34183, CVE-2025-34186, CVE-2025-34187, CVE-2025-34517, CVE-2025-34518, CVE-2025-34512, CVE-2025-34513)
CVSS
Vendor
Equipment
Vulnerabilities
| v3 9.8
| Ilevia
| Ilevia EVE X1 Server
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutraliz
GHSA
GHSA-xgvx-j695-6gj9: Ilevia EVE X1 Server firmware versions ≤ 4
ghsa_unreviewed·2025-10-16
CVE-2025-34513 [CRITICAL] CWE-78 GHSA-xgvx-j695-6gj9: Ilevia EVE X1 Server firmware versions ≤ 4
Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain an OS command injection vulnerability in mbus_build_from_csv.php that allows an unauthenticated attacker to execute arbitrary code. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet.
Suricata
ET WEB_SPECIFIC_APPS Ilevia mbus_build_from_csv.php Multiple Parameters Command Injection Attempt (CVE-2025-34513)
suricata·2025-10-23·CVSS 9.3
CVE-2025-34513 [CRITICAL] ET WEB_SPECIFIC_APPS Ilevia mbus_build_from_csv.php Multiple Parameters Command Injection Attempt (CVE-2025-34513)
ET WEB_SPECIFIC_APPS Ilevia mbus_build_from_csv.php Multiple Parameters Command Injection Attempt (CVE-2025-34513)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ilevia mbus_build_from_csv.php Multiple Parameters Command Injection Attempt (CVE-2025-34513)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:33; content:"/ajax/php/mbus_build_from_csv.php"; fast_pattern; http.request_body; pcre:"/mbus_(?:file|csv)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,www.zeroscience.mk/codes/ilevia_cmdinj.txt; reference:cve,2025-34513; classtype:attempted-admin; sid:2065361; rev:1; metadata:affected_product Ilevia, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_10_23,
No public exploits indexed.
No writeups or analysis indexed.
2025-10-16
Published