Ilevia Srl Eve X1 Server vulnerabilities
11 known vulnerabilities affecting ilevia_srl/eve_x1_server.
Total CVEs
11
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH6MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2025-34513P2CRITICALCVSS 9.8≤ 4.7.18.0.eden2025-10-16
CVE-2025-34513 [CRITICAL] CWE-78 CVE-2025-34513: Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain an OS command injection vulnerability
Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain an OS command injection vulnerability in mbus_build_from_csv.php that allows an unauthenticated attacker to execute arbitrary code. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet.
nvd
CVE-2025-34515P2CRITICALCVSS 9.8≤ 4.7.18.0.eden2025-10-16
CVE-2025-34515 [CRITICAL] CWE-250 CVE-2025-34515: Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain an execution with unnecessary privile
Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain an execution with unnecessary privileges vulnerability in sync_project.sh that allows an attacker to escalate privileges to root. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet.
nvd
CVE-2025-34184P2CRITICALCVSS 9.8≤ 4.7.18.0.eden (Logic version: 6.00)2025-09-16
CVE-2025-34184 [CRITICAL] CWE-78 CVE-2025-34184: Ilevia EVE X1 Server version ≤ 4.7.18.0.eden contains an unauthenticated OS command injection vulner
Ilevia EVE X1 Server version ≤ 4.7.18.0.eden contains an unauthenticated OS command injection vulnerability in the /ajax/php/login.php script. Remote attackers can execute arbitrary system commands by injecting payloads into the 'passwd' HTTP POST parameter, leading to full system compromise or denial of service.
nvd
CVE-2025-34516P2CRITICALCVSS 9.8≤ 4.7.18.0.eden2025-10-16
CVE-2025-34516 [CRITICAL] CWE-1392 CVE-2025-34516: Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain a use of default credentials vulnerab
Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain a use of default credentials vulnerability that allows an unauthenticated attacker to obtain remote access. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet.
nvd
CVE-2025-34514P2HIGHCVSS 8.8≤ 4.7.18.0.eden2025-10-16
CVE-2025-34514 [HIGH] CWE-78 CVE-2025-34514: Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain authenticated OS command injection vu
Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain authenticated OS command injection vulnerabilities in multiple web-accessible PHP scripts that call exec() and allow an authenticated attacker to execute arbitrary commands. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet
nvd
CVE-2025-34183P3HIGHCVSS 7.5≤ 4.7.18.0.eden (Logic version: 6.00)2025-09-16
CVE-2025-34183 [HIGH] CWE-532 CVE-2025-34183: Ilevia EVE X1 Server version ≤ 4.7.18.0.eden contains a vulnerability in its server-side logging mec
Ilevia EVE X1 Server version ≤ 4.7.18.0.eden contains a vulnerability in its server-side logging mechanism that allows unauthenticated remote attackers to retrieve plaintext credentials from exposed .log files. This flaw enables full authentication bypass and system compromise through credential reuse.
nvd
CVE-2025-34518P3HIGHCVSS 7.5≤ 4.7.18.0.eden2025-10-16
CVE-2025-34518 [HIGH] CWE-22 CVE-2025-34518: Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain a relative path traversal vulnerabili
Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain a relative path traversal vulnerability in get_file_content.php that allows an attacker to read arbitrary files. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet.
nvd
CVE-2025-34517P3HIGHCVSS 7.5≤ 4.7.18.0.eden2025-10-16
CVE-2025-34517 [HIGH] CWE-22 CVE-2025-34517: Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain an absolute path traversal vulnerabil
Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain an absolute path traversal vulnerability in get_file_content.php that allows an attacker to read arbitrary files. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet.
nvd
CVE-2025-34185P3HIGHCVSS 7.5≤ 4.7.18.0.eden2025-09-16
CVE-2025-34185 [HIGH] CWE-22 CVE-2025-34185: Ilevia EVE X1 Server version ≤ 4.7.18.0.eden contains a pre-authentication file disclosure vulnerabi
Ilevia EVE X1 Server version ≤ 4.7.18.0.eden contains a pre-authentication file disclosure vulnerability via the 'db_log' POST parameter. Remote attackers can retrieve arbitrary files from the server, exposing sensitive system information and credentials.
nvd
CVE-2025-34519P3HIGHCVSS 7.5≤ 4.7.18.0.eden2025-10-16
CVE-2025-34519 [HIGH] CWE-327 CVE-2025-34519: Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain an insecure hashing algorithm vulnera
Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain an insecure hashing algorithm vulnerability. The product stores passwords using the MD5 hash function without applying a per‑password salt. Because MD5 is a fast, unsalted hash, an attacker who obtains the password database can efficiently perform offline dictionary, rainbow‑table, or brut
nvd
CVE-2025-34512P4MEDIUMCVSS 6.1≤ 4.7.18.0.eden2025-10-16
CVE-2025-34512 [MEDIUM] CWE-79 CVE-2025-34512: Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain a reflected cross-site scripting (XSS
Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain a reflected cross-site scripting (XSS) vulnerability in index.php that allows an unauthenticated attacker to execute arbitrary script in the victim's browser. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet.
nvd