Primary

Context

Ilevia EVE X1 Server OS Command Injection Vulnerability Allowing Arbitrary Code Execution

Vulnerability

An OS command injection vulnerability has been identified in Ilevia EVE X1 Server firmware versions through 4.7.18.0.eden. The vulnerability resides in the 'mbus_build_from_csv.php' file, where an unauthenticated attacker can execute arbitrary code by injecting commands through specific HTTP POST parameters. Ilevia has advised customers not to expose port 8080 to the internet.

Impact

Exploitation of this vulnerability allows for unauthorized execution of arbitrary commands on the server, potentially leading to unauthorized access or control over the system.

Reproduction

The vulnerability can be reproduced by sending an HTTP POST request to the '/ajax/php/mbus_build_from_csv.php' endpoint. The 'mbus_file' and 'mbus_csv' parameters can be used to inject and execute arbitrary shell commands. This can be done using tools like curl or Postman, or through a custom script that automates the process.

Added: Oct 16, 2025, 6:32 PM

Updated: Oct 16, 2025, 8:24 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

0.0

relevance

0.8

threat

6.7

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

0.0

relevance

0.8

threat

6.7

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Ilevia EVE X1 Server OS Command Injection Vulnerability Allowing Arbitrary Code Execution

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating