Critical Vulnerability Information Title: Ilevia EVE X1 Server 4.7.18.0.eden Credentials Leak Through Log Disclosure Type: Local/Remote Impact: Security Exploit, Exposure of System Information, Exposure of Sensitive Information Risk Level: 5/5 Release Date: 19.08.2025 Summary: - EVE is a smart home and building automation system designed for residential and commercial environments. - EVE X1 Server is a dedicated hardware solution for advanced building automation requirements. Description: - A critical vulnerability has been discovered in the EVE smart home and BMS/BAS control systems, caused by improper handling of sensitive information in server site logs. - Specifically, log files accessible via the web server expose credentials in plain text, including usernames and passwords submitted during authentication. - This disclosure allows remote attackers to reuse valid login credentials by accessing the exposed log files, potentially leading to full system compromise. Affected Versions: References: - [1] https://packetstorm.news/files/id/206700/ - [2] https://www.wunchock.com/advisories/ilevia-eve-x1-server-credentials-leak-through-log-disclosure - [3] https://www.cve.org/CVERecord?id=CVE-2025-34183