What is CVE-2025-4009 and how severe is this Evertz vulnerability?

CVE-2025-4009 is a critical security flaw with a CVSS score of 9.3 affecting Evertz Microsystems broadcasting equipment. It's an unauthenticated arbitrary command injection vulnerability in the webEASY interface that allows remote attackers to gain root-level access to affected broadcasting infrastructure devices without requiring authentication.

What is Evertz Microsystems and what products are affected?

Evertz Microsystems is a leading provider of broadcast equipment and solutions for the television and telecommunications industries. The vulnerability affects virtually all of their product lines, including SDVN 3080ipx-10G switches, MViP-II media processing platforms, cVIP compact video processors, routing switchers, closed captioning systems, and all systems running webEASY versions 1.4, 1.5, and 1.6.

What causes the technical vulnerability in Evertz systems?

The vulnerability stems from two flaws: command injection in PHP files (feature-transfer-import.php and feature-transfer-export.php) that construct shell commands from user input without sanitization, and an authentication bypass in login.php that accepts user-controlled 'authorized' parameters without validation. These allow attackers to execute commands with root privileges and bypass authentication entirely.

What are the potential attack scenarios for this Evertz vulnerability?

Primary attack scenarios include interrupting or completely halting live media streaming services, manipulating media content in real-time (altering news broadcasts, entertainment programming, or advertising), and modifying closed captions and accessibility features. This could result in significant revenue loss, reputational damage, and compliance violations for broadcasting organizations.

Who discovered the Evertz broadcasting vulnerability?

The vulnerability was discovered by ONEKEY Labs through their research into broadcasting infrastructure security. The researchers identified the flaw affecting the widely-used webEASY interface across multiple Evertz product lines.

Did Evertz respond to the vulnerability disclosure?

No, Evertz failed to respond to any disclosure attempts. ONEKEY Research Labs attempted coordination through multiple channels over a 90-day period, including email, LinkedIn, Twitter, and formal CERT.CC case filing. Despite these comprehensive efforts, Evertz provided no acknowledgment or response, leading to full public disclosure on May 28, 2025.

How can organizations protect against this Evertz vulnerability?

Given the absence of official patches, organizations must implement immediate mitigation measures including network isolation and segmentation of affected Evertz equipment, deployment of network intrusion detection systems capable of identifying command injection attempts, and regular security assessments and penetration testing of broadcasting infrastructure.

What is the timeline for the Evertz CVE-2025-4009 disclosure?

ONEKEY Research Labs followed industry standard responsible disclosure practices with a 90-day coordination period. After receiving no response from Evertz through multiple communication channels and formal CERT.CC filing, the standard disclosure deadline expired on May 26, 2025, leading to full public disclosure on May 28, 2025.

Advisory

Critical remote code execution flaw reported in Evertz Broadcasting Infrastructure

Q: How easy is it to exploit the Evertz CVE-2025-4009 vulnerability?

The vulnerability is extremely easy to exploit, requiring only basic tools such as curl commands and minimal technical sophistication. Remote, unauthenticated attackers can achieve complete system compromise through simple HTTP requests by crafting base64-encoded JSON structures representing administrative users.

published: May 28, 2025

Take action: If you are using Evertz products be aware that they are critically vulnerable and there is no patch! Immediately isolate all management interfaces from untrusted networks and the internet. Implement network monitoring to detect suspicious web requests targeting the vulnerable PHP endpoints and regular security checks and penetration testing. Then start checking with the vendor for any patches.

Learn More

ONEKEY Labs reports a critical security flaw in Evertz Microsystems, a leading provider of broadcast equipment and solutions for the television and telecommunications industris The flaw affects virtually all of their product lines.

The vulnerability is tracked as CVE-2025-4009 (CVSS score 9.3), Unauthenticated arbitrary command injection vulnerability in Evertz webEASY interface that allows remote attackers to gain root-level access to affected broadcasting infrastructure devices without requiring authentication.

The technical root of the vulnerability lies in two specific PHP files within the web management interface: feature-transfer-import.php and feature-transfer-export.php. These files construct shell commands directly from user-supplied parameters including action, filename, and slot without any input sanitization or validation. This design flaw allows attackers to inject malicious commands that are executed with root privileges on the target system.

Compounding the severity of the command injection vulnerability is a separate authentication bypass flaw in the login.php file. The authentication mechanism contains a logic error that accepts a user-controlled authorized parameter containing either a JSON structure or base64-encoded JSON structure. The system creates an authenticated user session based on this parameter without performing any validation or authentication checks to verify the legitimacy of the provided credentials. This allows unauthenticated attackers to craft valid base64-encoded JSON structures representing administrative users and gain immediate access to the system.

The combination of these two vulnerabilities creates a particularly dangerous attack scenario where remote, unauthenticated attackers can achieve complete system compromise through simple HTTP requests. Exploitation can be accomplished using basic tools such as curl commands, making the vulnerability accessible to attackers with minimal technical sophistication.

The vulnerability impacts a broad range of Evertz broadcasting equipment, with confirmed affected systems including the SDVN 3080ipx-10G High Bandwidth Ethernet Switching Fabric and multiple product lines sharing the vulnerable webEASY interface. Based on ONEKEY Research Labs' analysis, the following systems are considered affected:

Evertz SDVN 3080ipx-10G (confirmed vulnerable)
Evertz MViP-II media processing platform
Evertz cVIP compact video processor
Evertz 7890IXG routing switcher
Evertz CC Access Server closed captioning system
Evertz 5782XPS-APP-4E processing platform
All systems running webEASY (ewb) versions 1.4, 1.5, and 1.6 (confirmed vulnerable)

Primary attack scenarios include the interruption or complete halt of live media streaming services, which could result in significant revenue loss and reputational damage for broadcasting organizations. Attackers could manipulate media content in real-time, potentially altering news broadcasts, entertainment programming, or advertising content without detection. The ability to modify closed captions and accessibility features could impact compliance with broadcasting regulations and accessibility requirements.

The research team attempted to coordinate disclosure with Evertz through multiple channels over a 90-day period, following industry standard responsible disclosure practices. Beginning with initial contact attempts through email communications, the researchers expanded their outreach to include direct messaging via LinkedIn and Twitter to reach Evertz cybersecurity personnel.

When these efforts received no response, ONEKEY escalated the issue by opening a formal case with CERT.CC through the Vulnerability Information and Coordination Environment (VINCE) platform. Despite these comprehensive efforts, Evertz failed to acknowledge or respond to any disclosure attempts.

Following the expiration of the standard 90-day disclosure deadline on May 26, 2025, ONEKEY Research Labs proceeded with full public disclosure on May 28, 2025.

As of the time of disclosure, no official patches or security updates have been released by Evertz to address CVE-2025-4009. The vendor has not issued any security advisories, acknowledgments, or timelines for remediation efforts.

Given the absence of official patches, organizations must implement immediate mitigation measures through isolation and network segmentation and network intrusion detection systems capable of identifying command injection attempts, paired with regular security assesments and penetration testing.

Critical remote code execution flaw reported in Evertz Broadcasting Infrastructure

Read More
Critical Ni8mare flaw in n8n allows unauthenticated remote …
First malicious MCP Server discovered, stealing data from …
ControlVault Vulnerabilities dubbed ReVault expose Dell business laptops …
Critical flaw in pgAdmin 4 allows remote code …
Systemic Design Flaw in MCP Protocol Exposes AI …