CVE-2025-4009 Scanner

Evertz SDVN 3080ipx-10G is a high-bandwidth video networking switch used in professional media environments to manage video streams, switching, and closed captioning. This hardware appliance features a web-based management interface that allows administrators to control key functionalities. It is typically deployed in broadcast studios, video control centers, and large-scale streaming environments. The web interface is implemented using PHP and Evertz's proprietary SDK called webEASY (or 'ewb'). It is accessible over HTTP on port 80, providing direct administrative access to device configurations. Due to its role in critical infrastructure, vulnerabilities in this product can lead to severe operational disruptions.

The vulnerability tracked as CVE-2025-4009 enables unauthenticated remote attackers to execute arbitrary commands with root privileges. This flaw is a result of both a logic bypass in the authentication mechanism and improper input sanitization in certain endpoints. Specifically, a crafted payload encoded in Base64 can be used to bypass login requirements and obtain a session. Once authenticated, the attacker can access vulnerable endpoints like `feature-transfer-export.php` that allow injection and execution of arbitrary commands. The flaw affects all devices using the vulnerable implementation of webEASY SDK prior to a security patch.

The scanner sends a GET request to the `/login.php` endpoint using a specially crafted `authorized` parameter to gain access. Upon successful login, it targets `/v.1.5/php/features/feature-transfer-export.php` with command injection vectors. A successful scan is confirmed by the presence of Unix command execution output such as `uid=`, `gid=`, and `groups=` in the response body. This indicates that commands were executed on the server, confirming full remote code execution capability without prior authentication.

If exploited, attackers can gain root-level control over the device, which can lead to severe outcomes such as interruption or manipulation of media streams, alteration of closed caption data, or complete system takeover. The impact is magnified in media networks where these switches form the backbone of content delivery. Attackers may pivot from compromised devices to internal networks or disrupt real-time broadcasts. Given the unauthenticated nature of the exploit and critical privileges obtained, this vulnerability poses an extreme risk to affected infrastructures.

REFERENCES

• https://www.onekey.com/resource/security-advisory-remote-code-execution-on-evertz-svdn-cve-2025-4009