CVE-2025-10364 is a critical remote command injection vulnerability affecting the Evertz SDVN 3080ipx-10G, a high bandwidth Ethernet switching fabric device used primarily in video applications. The device exposes a web management interface on port 80, developed in PHP using the webEASY SDK (ewb). This interface allows administrators to configure network switching, control product features, and manage licenses. The vulnerability exists specifically in the feature-transfer-export.php endpoint, where improper neutralization of special elements (CWE-77) allows unauthenticated remote attackers to inject arbitrary commands. Exploitation leads to arbitrary command execution with root privileges, enabling full system compromise. This is compounded by related vulnerabilities including another command injection (CVE-2025-4009) and an authentication bypass flaw (CVE-2025-10365), which together significantly increase the attack surface and ease of exploitation. The CVSS 4.0 base score is 9.3 (critical), reflecting the vulnerability's network attack vector, no required authentication or user interaction, and high impact on confidentiality, integrity, and availability. Successful exploitation could disrupt media streaming services, alter streamed content, or manipulate closed captions, causing severe operational and reputational damage to organizations relying on these devices for broadcast or media distribution.

For European organizations, particularly broadcasters, media companies, and service providers using Evertz 3080ipx-10G devices, this vulnerability poses a severe risk. Compromise could lead to interruption or manipulation of live media streams, impacting service availability and content integrity. This could result in financial losses, regulatory penalties (especially under GDPR for service disruptions), and damage to brand reputation. The ability for unauthenticated remote attackers to gain root access means attackers could pivot within networks, potentially compromising other critical infrastructure. Given the device's role in high bandwidth video switching, attacks could affect large-scale media distribution across Europe, disrupting communications and entertainment services. The lack of known exploits in the wild currently provides a window for mitigation, but the critical nature demands immediate attention.

Organizations should immediately assess their exposure to the Evertz 3080ipx-10G device, especially those with web management interfaces accessible from untrusted networks. Specific mitigations include: 1) Isolate the management interface on a secure, internal network segment with strict access controls and network segmentation to prevent unauthorized external access. 2) Implement web application firewalls (WAFs) with custom rules to detect and block command injection patterns targeting feature-transfer-export.php and related endpoints. 3) Monitor network traffic and device logs for unusual commands or access attempts indicative of exploitation attempts. 4) Coordinate with Evertz for firmware updates or patches addressing these vulnerabilities; if unavailable, consider temporary compensating controls such as disabling the vulnerable web interface or restricting access via VPN. 5) Conduct regular vulnerability scans and penetration tests focusing on these devices to ensure no residual exposure. 6) Train operational staff to recognize signs of compromise and respond swiftly to incidents involving media infrastructure.