How severe is CVE-2025-4009?

This vulnerability has a severity rating of CRITICAL with a CVSS score of N/A out of 10.

What type of vulnerability is CVE-2025-4009?

This is classified as CWE-77, which is a common weakness in software security.

CVE-2025-4009 - CRITICAL Severity | CVSS N/A

Vulnerability Description

The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. This device exposes a web management interface on port 80. This web management interface can be used by administrators to control product features, setup network switching, and register license among other features. The application has been developed in PHP with the webEASY SDK, also named ‘ewb’ by Evertz. This web interface has two endpoints that are vulnerable to arbitrary command injection and the authentication mechanism has a flaw leading to authentication bypass. Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices. This level of access could lead to serious business impact such as the interruption of media streaming, modification of media being streamed, alteration of closed captions being generated, among others.

Related Vulnerabilities

CVE-2024-51736

NONE

CVSS:0.0(None)

Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named `cmd.exe` is located in the current working directory it...

CWE-772024

CVE-2015-7541

CRITICAL

CVSS:10.0(Critical)

The initialize method in the Histogram class in lib/colorscore/histogram.rb in the colorscore gem before 0.0.5 for Ruby allows context-dependent attackers to execute arbitrary code via shell metachara...

CWE-772015

CVE-2017-7722

CRITICAL

CVSS:10.0(Critical)

In SolarWinds Log & Event Manager (LEM) before 6.3.1 Hotfix 4, a menu system is encountered when the SSH service is accessed with "cmc" and "password" (the default username and password). By exploitin...

CWE-772017

CVE-2017-7876

CRITICAL

CVSS:10.0(Critical)

This command injection vulnerability in QTS allows attackers to run arbitrary commands in the compromised application. QNAP have already fixed the issue in QTS 4.2.6 build 20170517, QTS 4.3.3.0174 bui...

CWE-772017

CVE-2018-16462

CRITICAL

CVSS:10.0(Critical)

A command injection vulnerability in the apex-publish-static-files npm module version <2.0.1 which allows arbitrary shell command execution through a maliciously crafted argument.

CWE-772018

CVE-2020-27227

CRITICAL

CVSS:10.0(Critical)

An exploitable unatuhenticated command injection exists in the OpenClinic GA 5.173.3. Specially crafted web requests can cause commands to be executed on the server. An attacker can send a web request...

CWE-772020