Is there a public PoC exploit available for CVE-2025-34512?

Yes, a public proof-of-concept exploit is available for CVE-2025-34512. Prioritise patching immediately. EPSS: 0.1%.

EVE X1 Server CVE-2025-34512

Q: What is the CVSS score of CVE-2025-34512?

CVE-2025-34512 has a CVSS 4.0 base score of 5.1 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2025-10-16 disclosure@vulncheck.com

PHP XSS RCE Eve X1 Server Firmware

5.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.1 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Jun 08, 2026 - 11:52 vuln.today

DescriptionCVE.org

Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain a reflected cross-site scripting (XSS) vulnerability in index.php that allows an unauthenticated attacker to execute arbitrary code. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet.

AnalysisAI

Reflected XSS in Ilevia EVE X1 Server firmware (all versions through 4.7.18.0.eden) exposes unauthenticated network attackers to client-side code execution by injecting malicious payloads via the index.php endpoint on port 8080. A publicly available proof-of-concept exploit exists (ZSL-2025-5961), raising the practical risk above the 5.1 CVSS score alone would suggest. Critically, Ilevia has formally declined to issue a patch, leaving all deployed devices permanently unmitigated at the firmware level - the only vendor-sanctioned control is network segmentation.

Technical ContextAI

The affected product is Ilevia EVE X1 Server firmware, a PHP-based building/home automation controller web interface identified by CPE cpe:2.3:o:ilevia:eve_x1_server_firmware:*:*:*:*:*:*:*:* (all versions through 4.7.18.0.eden). The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), a reflected XSS class where user-supplied input arriving in an HTTP request is echoed back into the HTTP response without adequate sanitization or encoding. Because the sink is the index.php entry point of the web UI (listening on port 8080), any parameter or path component that is reflected into the rendered page is a potential injection vector. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:A) confirms the interface is network-accessible, requires no special configuration or prior authentication, and that exploitation demands the victim actively interact with a crafted link. Important: the 'RCE' tag applied to this CVE is a conflation - CWE-79/reflected XSS produces client-side JavaScript execution in the victim's browser context, not server-side remote code execution. Claims of full host-level RCE are not supported by the available CWE or CVSS data and should be independently verified.

RemediationAI

No vendor-released patch is available and none is expected - Ilevia has formally declined to service this vulnerability. The vendor's sole recommended compensating control is to block port 8080 from internet exposure, preventing external attackers from delivering malicious links that route through the public internet to the device. This is an actionable and specific step: configure perimeter firewall rules or ACLs to deny all inbound and outbound traffic on TCP port 8080 to/from EVE X1 Server IP addresses. Trade-off: this prevents remote management via the web UI from untrusted networks. For environments where remote access is operationally required, place the device behind a VPN gateway and restrict the web UI to VPN-only subnet access, eliminating the internet-facing attack surface entirely. Additionally, organizations should enforce strict anti-phishing controls and user awareness to reduce the likelihood of successful social engineering required for XSS delivery (UI:A). No additional workarounds have been published by the vendor. Advisory references: https://www.vulncheck.com/advisories/ilevia-eve-x1-server-reflected-xss and https://www.ilevia.com/.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2025-34512 vulnerability details – vuln.today

Back

EVE X1 Server CVE-2025-34512

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code