CVE-2025-34187

Ilevia EVE X1/X5 Server version  4.7.18.0.eden contains a misconfiguration in the sudoers file that allows passwordless execution of certain Bash scripts. If these scripts are writable by web-facing users or accessible via command injection, attackers can replace them with malicious payloads. Execution with sudo grants full root access, resulting in remote privilege escalation and potential system compromise.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
VulnCheckCNA
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 78%
VendorProductVersion
ileviaeve_x1_server_firmware
𝑥
≤ 4.7.18.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://packetstorm.news/files/id/209226/
https://www.ilevia.com/
https://www.vulncheck.com/advisories/ilevia-eve-x1-x5-server-reverse-rootshell
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5959.php