Primary

Context

Ilevia EVE X1 Server Absolute Path Traversal Vulnerability Allowing Arbitrary File Read

Vulnerability

An absolute path traversal vulnerability has been identified in Ilevia EVE X1 Server firmware versions through 4.7.18.0.eden. The vulnerability exists in the 'get_file_content.php' file, where an attacker can read arbitrary files from the server by exploiting the path traversal flaw. Ilevia has not addressed this vulnerability and advises customers to avoid exposing port 8080 to the internet.

Impact

Exploitation of this vulnerability allows for unauthorized reading of files on the server, potentially leading to the disclosure of sensitive information.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/ajax/php/get_file_content.php' endpoint with a crafted 'file' parameter that traverses directories. This request can be made using tools like curl or Postman.

Remediation

Ilevia recommends not exposing port 8080 to the internet.

Added: Oct 16, 2025, 6:29 PM

Updated: Oct 16, 2025, 6:29 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

0.7

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

0.7

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Ilevia EVE X1 Server Absolute Path Traversal Vulnerability Allowing Arbitrary File Read

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating