A critical vulnerability (CVE-2025-4009) was found in Evertz’s Software Defined Video Network (SDVN) products, allowing attackers to run remote code without logging in.
Evertz SDN Vulnerability
Discovered by ONEKEY Research Labs, the issue affects the main web admin interface used across several Evertz devices, threatening global media systems.The problem is an unauthenticated command injection in the PHP-based webEASY (ewb) interface. Devices like the SDVN 3080ipx-10G, MViP-II, cVIP, 7890IXG, CC Access Server, and 5782XPS-APP-4E are all affected.
Attackers can send special HTTP requests to run commands as root without needing any credentials.
The vulnerability comes from two PHP files—feature-transfer-import.php and feature-transfer-export.php—which use user input (action, filename, slot) to build shell commands without checking or sanitizing the input.
This lets attackers run commands by sending a simple request like:
curl ‘http:///v.1.5/php/features/feature-transfer-import.php?action=id;&filename=&varid=&slot=’
or
curl ‘http:///v.1.5/php/features/feature-transfer-export.php?action=id;&filename=&varid=&slot=’
To make things worse, the login.php authentication is broken. Attackers can create a base64-encoded JSON string that mimics an admin account to bypass the login:
bashcurl 'http://<device-ip>/login.php?authorized=<base64-encoded-admin-json>'
Using both flaws, an attacker can take full control of the device without logging in, run commands as root, and fully compromise the system.
Affected Products
| Product / Component | Status | Vulnerable Versions | Fixed Version | CVE ID | CVSS Score |
|---|---|---|---|---|---|
| Evertz SDVN 3080ipx-10G | Confirmed | All | N/A | CVE-2025-4009 | 9.3 |
| Evertz MViP-II | Suspected | All | N/A | CVE-2025-4009 | 9.3 |
| Evertz cVIP | Suspected | All | N/A | CVE-2025-4009 | 9.3 |
| Evertz 7890IXG | Suspected | All | N/A | CVE-2025-4009 | 9.3 |
| Evertz CC Access Server | Suspected | All | N/A | CVE-2025-4009 | 9.3 |
| Evertz 5782XPS-APP-4E | Suspected | All | N/A | CVE-2025-4009 | 9.3 |
| ewb v1.4, v1.5, v1.6 | Confirmed | All | N/A | CVE-2025-4009 | 9.3 |
Business Impact
This critical vulnerability (CVSS 9.3) allows attackers to run commands as root without logging in. If exploited, it can lead to:
- Stream disruptions – Live feeds can be stopped or changed.
- Content tampering – Attackers might alter media or captions.
- Full system takeover – Gaining root access to key broadcast systems.
Disclosure & Mitigation
Despite many contact attempts—including emails, social media, and CERT.CC—Evertz did not respond. As a result, the vulnerability was publicly disclosed two days after the 90-day deadline.
🔑 Key Points:
- This is ONEKEY’s first full public disclosure after 50 coordinated advisories.
- The flaw affects most Evertz products using the shared web admin backend.
🛡️ Recommended Actions:
- Disconnect vulnerable interfaces from public or untrusted networks.
- Restrict access at the network level.
- Monitor traffic and logs for unusual web requests or shell activity.
- Wait for vendor patches and apply them as soon as available.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
![Nifty[.]com Infrastructure Exploited in Phishing Attack](https://firsthackersnews.com/wp-content/uploads/2023/10/Phishing-Attacks_-Recognize-and-Avoid-Email-Phishing-1-500x383.jpg)
Leave A Comment