cbcvebase.
CVE-2025-4009
published 2025-05-28

CVE-2025-4009: The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. This device exposes a web management interface on port 80…

PriorityP189critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSNAUYRXVCREXUX
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
74.88%
99.4th percentile
The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. This device exposes a web management interface on port 80. This web management interface can be used by administrators to control product features, setup network switching, and register license among other features. The application has been developed in PHP with the webEASY SDK, also named ‘ewb’ by Evertz. This web interface has two endpoints that are vulnerable to arbitrary command injection (CVE-2025-4009, CVE-2025-10364) and the authentication mechanism has a flaw leading to authentication bypass (CVE-2025-10365). CVE-2025-4009 covers the command injection in feature-transfer-import.php CVE-2025-10364 covers the command injection in feature-transfer-export.php Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices. This level of access could lead to serious business impact such as the interruption of media streaming, modification of media being streamed, alteration of closed captions being generated, among others.

Affected

6 ranges
VendorProductVersion rangeFixed in
evertz3080ipx-10g
evertz5782xps-app-4e
evertz7890ixg
evertzcc_access_server
evertzcvip
evertzmvip-ii

Detection & IOCsextracted from sources · hover to see the quote

url/login.php?authorized={{base64(payload)}}
url/v.1.5/php/features/feature-transfer-export.php?action=id;&filename=&varid=&slot=
path/v.1.5/php/features/feature-transfer-import.php
othereyJuYW1lIjogImFkbWlu
otherhtml:"evertz.min.css"
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Evertz SDVN Authentication Bypass + Command Injection Attempt M1 (CVE-2025-4009)"; flow:established,to_server; xbits:set,ET.CVE-2025-4009.attempt, track ip_dst, expire 300; http.method; content:"GET"; http.uri; content:"/login.php|3f|authorized|3d|"; startswith; content:"eyJuYW1lIjogImFkbWlu"; within:100; fast_pattern; reference:cve,2025-4009; reference:url,www.onekey.com/resource/security-advisory-remote-code-execution-on-evertz-svdn-cve-2025-4009; classtype:attempted-admin; sid:2063273; rev:1; metadata:affected_product Evertz, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_07_02, cve CVE_2025_4009, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_07_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Evertz SDVN Authentication Bypass + Command Injection Attempt M2 (CVE-2025-4009)"; flow:established,to_server; xbits:isset,ET.CVE-2025-4009.attempt, track ip_dst; http.method; content:"GET"; http.uri; content:"/v.1.5/php/features/feature-transfer-export.php?"; fast_pattern; startswith; content:"action|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2025-4009; reference:url,www.onekey.com/resource/security-advisory-remote-code-execution-on-evertz-svdn-cve-2025-4009; classtype:attempted-admin; sid:2063274; rev:1; metadata:affected_product Evertz, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_07_02, cve CVE_2025_4009, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_07_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Authentication bypass is performed via a crafted base64-encoded JSON payload in the `authorized` GET parameter of /login.php. The payload grants admin role with no restrictions.
  • Successful authentication bypass sets cookies PHPSESSID and webeasy-loggedin and redirects to index.php — match all three in the response to confirm bypass.
  • The Snort M1 rule (sid:2063273) detects the auth bypass step: GET to /login.php with authorized= parameter containing the base64 string eyJuYW1lIjogImFkbWlu (admin user JSON). The M2 rule (sid:2063274) detects the subsequent command injection step against feature-transfer-export.php with shell metacharacters in the action parameter.
  • Shodan fingerprint for exposed Evertz SDVN devices: search for html:"evertz.min.css" to identify internet-facing targets.
  • The attack chain is two-step and stateful: M1 (auth bypass) must precede M2 (command injection). The Snort xbits mechanism tracks this across requests to the same destination IP within a 300-second window.
  • ·The exploit is plaintext HTTP only (port 80); TLS inspection is not required. The Snort rules explicitly note tls_state plaintext — encrypted traffic will not be detected by these signatures.
  • ·The Nuclei template uses a single HTTP request for the injection step (max-request: 1 for the second flow), but the full exploit requires two sequential requests — the auth bypass GET first, then the injection GET. Ensure your detection pipeline correlates both steps.
  • ·The vulnerable path prefix is versioned (/v.1.5/); future firmware versions may change this path, potentially evading path-based signatures.

CVSS provenance

nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:X/V:C/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.