CVE-2025-4009

EPSS 7.04%
Veröffentlicht 28.05.2025 07:15:24
Zuletzt bearbeitet 12.09.2025 14:15:40
Quelle research@onekey.com
CVE-Watchlists
Login
Unerledigt
Login

The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. This device exposes a web management interface on port 80. This web management interface can be used by administrators to control product
features, setup network switching, and register license among other features. The application has been developed in PHP with the webEASY SDK, also named ‘ewb’ by Evertz.

This web interface has two endpoints that are vulnerable to arbitrary command injection (CVE-2025-4009, CVE-2025-10364) and the authentication mechanism has a flaw leading to authentication bypass (CVE-2025-10365).

CVE-2025-4009 covers the command injection in feature-transfer-import.php
CVE-2025-10364 covers the command injection in feature-transfer-export.php

Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices.

This level of access could lead to serious business impact such as the interruption of media streaming, modification of media being streamed, alteration of closed captions being generated, among others.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerEvertz

≫

Produkt 3080ipx-10G

Default Statusaffected

Version 0

Status affected

HerstellerEvertz

≫

Produkt MViP-II

Default Statusaffected

Version 0

Status affected

HerstellerEvertz

≫

Produkt cVIP

Default Statusaffected

Version 0

Status affected

HerstellerEvertz

≫

Produkt 7890IXG

Default Statusaffected

Version 0

Status affected

HerstellerEvertz

≫

Produkt CC Access Server

Default Statusaffected

Version 0

Status affected

HerstellerEvertz

≫

Produkt 5782XPS-APP-4E

Default Statusaffected

Version 0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	7.04%	0.913

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
research@onekey.com	9.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:X/V:C/RE:X/U:X

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://www.onekey.com/resource/security-advisory-remote-code-execution-on-evertz-svdn-cve-2025-4009

https://nvd.nist.gov/vuln/detail/CVE-2025-4009

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-4009

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-4009

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-4009