Evertz SDN Vulnerabilities Enable Unauthenticated Arbitrary Command Execution
A newly disclosed critical vulnerability (CVE-2025-4009) in Evertz’s Software Defined Video Network (SDVN) product line exposes a wide range of broadcasting infrastructure to unauthenticated remote code execution.
The flaw, uncovered by ONEKEY Research Labs, affects the core web administration interface shared by multiple Evertz devices, putting global media operations at risk.
Unauthenticated Arbitrary Command Injection
Evertz’s SDVN 3080ipx-10G and other major product lines—including MViP-II, cVIP, 7890IXG, CC Access Server, and 5782XPS-APP-4E—are vulnerable due to a fundamental weakness in their webEASY (ewb) PHP-based management interface.
The flaw enables attackers to execute arbitrary system commands as root without authentication, using specially crafted HTTP requests.
Technical Details and Exploit Example
According to the report, the vulnerability stems from two PHP files—feature-transfer-import.php and feature-transfer-export.php—which builds shell commands directly from user-supplied parameters (action, filename, slot) without input sanitization.
Attackers can exploit this by sending requests such as:
bashcurl 'http:///v.1.5/php/features/feature-transfer-import.php?action=id;&filename=&varid=&slot="
or
bashcurl "http:///v.1.5/php/features/feature-transfer-export.php?action=id;&filename=&varid=&slot="
Compounding the risk, the authentication mechanism in login.php is flawed.
By crafting a valid base64-encoded JSON structure representing an admin user, an attacker can bypass authentication entirely.
For example:
bashcurl "http:///login.php?authorized='
This combination allows unauthenticated attackers to gain root access to the device, execute arbitrary commands, and fully compromise affected systems.
Affected Products Table
| Product/Component | Status | Vulnerable Versions | Fixed Version | CVE ID | CVSS Score |
|---|---|---|---|---|---|
| Evertz SDVN 3080ipx-10G | Confirmed | All | N/A | CVE-2025-4009 | 9.3 |
| Evertz MViP-II | Suspected | All | N/A | CVE-2025-4009 | 9.3 |
| Evertz cVIP | Suspected | All | N/A | CVE-2025-4009 | 9.3 |
| Evertz 7890IXG | Suspected | All | N/A | CVE-2025-4009 | 9.3 |
| Evertz CC Access Server | Suspected | All | N/A | CVE-2025-4009 | 9.3 |
| Evertz 5782XPS-APP-4E | Suspected | All | N/A | CVE-2025-4009 | 9.3 |
| ewb v1.4, v1.5, v1.6 | Confirmed | All | N/A | CVE-2025-4009 | 9.3 |
Business Impact and Exploitation Risks
This vulnerability is rated critical (CVSS 9.3), as it allows remote, unauthenticated attackers to execute commands with root privileges. Potential impacts include:
- Disruption of media streaming: Attackers can halt or alter live video feeds.
- Tampering with broadcast content: Malicious actors may modify media streams or closed captions, causing reputational and operational harm.
- Full system compromise: Attackers gain persistent, privileged access to core broadcast infrastructure.
Disclosure Timeline and Mitigation Guidance
Despite repeated attempts to coordinate with Evertz, including emails, social media outreach, and escalation to CERT.CC—no response was received, prompting a full public disclosure two days after the 90-day deadline.
Key Takeaways:
- This is the first full public disclosure by ONEKEY after nearly 50 coordinated advisories.
- The flaw affects all major Evertz devices using the vulnerable web admin core.
- Immediate mitigation is essential:
- Isolate Evertz web interfaces from untrusted networks.
- Apply strict network-level access controls.
- Monitor for suspicious web requests and shell activity.
- Await official vendor patches.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
