What is the most severe vulnerability in the Ilevia EVE X1 Server?

The most severe vulnerabilities include CVE-2025-34184 and CVE-2025-34183, both with CVSS scores of 9.8, allowing unauthenticated OS command injection and plaintext credential disclosure.

How can attackers bypass authentication on these devices?

CVE-2025-34186 allows attackers to bypass authentication by manipulating system calls to return non-zero exit codes, which the system incorrectly treats as successful logins.

What sensitive data is at risk?

Attackers can access plaintext administrative credentials, system configuration files, internal log files, and proprietary manufacturing workflows.

What is the primary recommended mitigation?

The primary mitigation is to close port 8080 on all devices and routers, update to the latest Ilevia Manager, and ensure the server is not accessible from the public internet.

Advisory

CISA and Ilevia Report Multiple Critical Vulnerabilities in EVE X1 Industrial Servers

Q: Has the vendor patched all reported issues?

No, Ilevia declined to service four vulnerabilities, including CVE-2025-34517, CVE-2025-34518, CVE-2025-34512, and CVE-2025-34513, recommending network isolation instead.

published: Feb. 6, 2026

Take action: If you are using Ilevia systems, review the advisory in detail. As usual isolate all industrial devices from the internet and make them accessible only from trusted networks. Make sure to close port 8080. Then plan a quick patch cycle, there are a bunch of critical easily exploited flaws. And be aware that some flaws remain, the vendor refused to patch them.

Learn More

CISA and Ilevia, an Italian automation firm, report nine security vulnerabilities affecting its EVE X1 Server, which is used in the critical manufacturing sector. These flaws include critical command injections and authentication bypasses that allow unauthenticated attackers to gain full control over the server. T

Vulnerabilities summary:

CVE-2025-34184 (CVSS score 9.8) - An unauthenticated OS command injection vulnerability in the /ajax/php/login.php script. Attackers can inject malicious payloads into the 'passwd' POST parameter to run arbitrary system commands. This allows for complete system takeover or service disruption without valid credentials.
CVE-2025-34183 (CVSS score 9.8) - A logging flaw that stores plaintext credentials in publicly accessible .log files. Remote attackers can read these files to obtain administrative passwords and bypass authentication entirely. This leads to full system compromise through credential reuse.
CVE-2025-34186 (CVSS score 9.8) - An authentication bypass vulnerability where unsanitized input is passed to a system() call. Attackers can manipulate command parsing to force a non-zero exit code, which the binary incorrectly interprets as a successful login. This grants unauthorized access to the management interface.
CVE-2025-34187 (CVSS score 9.8) - A privilege escalation vulnerability caused by a misconfigured sudoers file. Attackers who gain initial access can execute specific Bash scripts with root privileges without a password. By replacing these writable scripts with malicious code, attackers achieve full root control.
CVE-2025-34513 (CVSS score 9.8) - An OS command injection vulnerability in the mbus_build_from_csv.php component. Unauthenticated attackers can send crafted requests to execute arbitrary code on the underlying operating system.
CVE-2025-34185 (CVSS score 7.5) - A pre-authentication path traversal vulnerability in the db_log parameter. Attackers can use this to read arbitrary files from the server's filesystem.
CVE-2025-34517 (CVSS score 7.5) - An absolute path traversal vulnerability in get_file_content.php that allows an attacker to read arbitrary files.
CVE-2025-34518 (CVSS score 7.5) - A relative path traversal vulnerability in get_file_content.php that allows an attacker to read arbitrary files.
CVE-2025-34512 (CVSS score 5.4) - A reflected cross-site scripting (XSS) vulnerability in index.php enabling arbitrary code execution in a user's browser.

The vulnerabilities affect all Ilevia EVE X1 Server versions up to and including 4.7.18.0.

Some fixes are available but Ilevia declined to patch several reported flaws, including CVE-2025-34517, CVE-2025-34518, CVE-2025-34512, and CVE-2025-34513.

Users should update to the latest version of Ilevia Manager and close port 8080 on all routers and firewalls to prevent external access to the vulnerable web interface.

CISA and Ilevia Report Multiple Critical Vulnerabilities in EVE X1 Industrial Servers

Read More
Critical Vulnerabilities in Apeman ID71 Cameras Allow Remote …
Critical remote code execution flaw reported in Industrial …
Multiple flaws reported in Growatt Cloud Platform
Siemens Issues Patches for 41 flaws, three of …
EFACEC reports critical issues in their BCU 500 …