Several Evertz SDN Vulnerability Allow Unauthenticated Attackers to Execute Arbitrary Commands

ONEKEY Research Labs has disclosed critical security vulnerabilities affecting multiple Evertz broadcasting devices after the vendor failed to respond to disclosure attempts over a 90-day period.

The vulnerabilities, tracked as CVE-2025-4009 with a CVSS score of 9.3, enable remote attackers to execute arbitrary commands with root privileges on affected systems without authentication, potentially compromising broadcast operations across the industry.

Security researchers at ONEKEY Research Labs identified severe command injection vulnerabilities in Evertz’s webEASY (ewb) interface, which serves as the core web administration platform shared across virtually all Evertz product lines.

The affected systems include the confirmed vulnerable SDVN 3080ipx-10G High Bandwidth Ethernet Switching Fabric, along with potentially vulnerable models such as MViP-II, cVIP, 7890IXG, CC Access Server, and 5782XPS-APP-4E devices.

The vulnerabilities stem from inadequate input sanitization in two PHP endpoints within the web management interface.

Specifically, the feature-transfer-import.php and feature-transfer-export.php files construct system commands using unsanitized user-controlled parameters including action, filename, and slot variables.

This design flaw allows attackers to inject malicious commands directly into the underlying operating system.

The broadcasting industry’s widespread adoption of Evertz equipment makes these vulnerabilities particularly concerning.

Successful exploitation could lead to severe business disruption including interruption of media streaming services, unauthorized modification of broadcast content, and tampering with closed caption generation systems.

Remote Command Execution

The severity of these command injection vulnerabilities escalates significantly due to a critical authentication bypass mechanism discovered in the login.php file.

The researchers found that the application accepts a “preauthorized” GET parameter that triggers the parseAuthorizedUsers function, which processes either JSON or base64-encoded JSON structures without proper validation.

This authentication bypass allows attackers to craft base64-encoded JSON payloads representing administrative users with unrestricted roles.

The application accepts these fabricated credentials without verification, instantly granting full administrative access to unauthenticated users.

When combined with the command injection vulnerabilities, this bypass creates a complete attack chain enabling remote code execution with root privileges.

The attack can be executed through simple HTTP requests, making exploitation straightforward for malicious actors.

The research team demonstrated successful authentication bypass followed by arbitrary command execution, confirming the critical nature of these security flaws.

Vendor Unresponsiveness Forces Full Disclosure

This disclosure marks a significant milestone for ONEKEY Research Labs, representing their first full disclosure after successfully coordinating vulnerability disclosures with over 20 vendors for nearly 50 different vulnerabilities.

According to the Report, The research team initiated contact with Evertz on February 25, 2025, attempting multiple communication channels including various email addresses, LinkedIn messaging, Twitter contact, and ultimately escalating to CERT.CC through their VINCE platform.

Despite extensive outreach efforts spanning three months and utilizing every available communication channel, Evertz failed to acknowledge or respond to the vulnerability reports.

The 90-day disclosure deadline expired on May 26, 2025, prompting ONEKEY to publish the full advisory two days later on May 28, 2025.

Network administrators using Evertz equipment should immediately implement network-level access controls to isolate web management interfaces from untrusted networks and monitor for suspicious web requests or unusual shell process spawning until official patches become available.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates