Security Advisory: Remote Code Execution on Evertz SDVN (CVE-2025-4009)

Since the inception of ONEKEY Research Labs, we coordinated vulnerability disclosures with more than 20 vendors for close to 50 different vulnerabilities. While we sometimes had to agree on deadline extensions given the unique nature of affected devices, we never had to go full disclosure due to the absence of answer from the vendor. Until today.

We tried to report this unauthenticated command injection to Evertz through different channels (emails, LinkedIn, Twitter) and ended up opening up a case with CERT.CC but heard nothing back from them. We're therefore publishing details today (May 28th 2025) two days after the 90-days deadline (May 26th 2025).

Evertz is quite ubiquitous in the broadcasting industry and we feel it is our responsibility to make the administrators of those networks aware that such a flaw affects virtually all product lines of Evertz since it affects the core of their web admin interface, which is shared by all devices.

Unauthenticated Arbitrary Command Injection

Summary

The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. This device exposes a web management interface on port 80. This web management interface can be used by administrators to control product features, setup network switching, and register license among other features. The application has been developed in PHP with the webEASY SDK, also named ‘ewb’ by Evertz.

This web interface has two endpoints that are vulnerable to arbitrary command injection and the authentication mechanism has a flaw leading to authentication bypass.

Impact

Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices.

This level of access could lead to serious business impact such as the interruption of media streaming, modification of media being streamed, alteration of closed captions being generated, among others.

Description

The file usr/htdocs/v.1.5/php/features/feature-transfer-import.php builds a command from user controlled parameters action , filename , and slot :

Since no sanitization is applied, this allows for arbitrary command injections by sending requests like this:

curl 'http://ip.of.device/v.1.5/php/features/feature-transfer-import.php?action=id;&filename=&varid=&slot='

‍

Similarly, the file usr/htdocs/v.1.5/php/features/feature-transfer-export.php builds a command from user controlled parameters action, filename, and slot:

‍

Since no sanitization is applied, this allows for arbitrary command injections by sending requests like this:

curl 'http://ip.of.device/v.1.5/php/features/feature-transfer-export.php?action=id;&filename=&varid=&slot='

While exploitation is limited to authenticated users, we have found a way to bypass authentication.

In usr/htdocs/login.php, the following logic can be observed:

So if a user sends a request with an authorized GET parameter, the parseAuthorizedUsers function is called. This function expects a JSON structure or a base64 encoded JSON structure. The structure is parsed and a user with a role attached is created from the data provided in the JSON structure. There is no validation in place and more importantly no authentication checks, such as checking that the parameter was created by the application itself.

‍

Therefore, an unauthenticated user can gain access as an administrator by crafting a valid base64 encoded JSON structure
representing an admin user with a role without restrictions.

The authentication bypass can be achieved with this curl command. We can see from the server response that the user is indeed authenticated.

By combining both the authentication bypass and the command injection, unauthenticated arbitrary command injection can be obtained.

Key Takeaways

‍First Full Disclosure in 90-Day Process - After coordinating nearly 50 vulnerabilities across 20+ vendors, this marks our first public disclosure—published two days past the 90-day deadline—due solely to Evertz’s unresponsiveness.

‍Unauthenticated Root-Level Command Injection - The PHP-based webEASY (ewb) interface in multiple Evertz product lines allows remote attackers to achieve arbitrary shell execution as root, due to two feature endpoints that accept unsanitized parameters combined with an authentication-bypass.

Broad Product Impact - All major Evertz devices sharing the vulnerable web admin core are at risk of full system compromise.

‍Serious Business Consequences - Exploitation can disrupt or manipulate video streams, tamper with closed captions, and interrupt broadcast operations, posing severe operational and reputational damage.

‍Immediate Mitigation Recommended - Administrators should isolate Evertz web management interfaces from untrusted networks, apply network-level access controls, and monitor for anomalous web requests or shell-spawning processes pending an official vendor patch.

Timeline

• 25/02/2025 - ONEKEY sends a notification to Service@evertz.com
• 28/02/2025 - ONEKEY sends a notification to Service@evertz.com, info@evertz.com, security@evertz.com, psirt@evertz.com, support@evertz.com
• 28/03/2025 - ONEKEY sends a reminder to Service@evertz.com, info@evertz.com, security@evertz.com, psirt@evertz.com, support@evertz.com, ukservice@evertz.com, sales@evertz.com, Vertrieb@evertz.com
• 10/04/2025 - ONEKEY attempts to get in touch with Evertz through its @EvertzTV account on x.com
• 11/04/2025 - ONEKEY sends inmails to different Linkedin users working in cybersecurity teams at Evertz
• 27/04/2025 - ONEKEY opens a case with CERT.CC on VINCE (Vulnerability Information and Coordination Environment)
• 28/05/2025 - ONEKEY publish this advisory

‍

‍