CVE-2026-25817
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
HMS Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6, and Cosy+ with firmware 23.xx before 23.0s3 have improper neutralization of special elements used in an OS command allowing remote code execution by attackers with low privilege access on the gateway, provided the attacker has credentials.
AnalysisAI
HMS Networks' industrial IoT gateways (Ewon Flexy and Cosy+) contain a command injection vulnerability that allows authenticated attackers to execute arbitrary OS commands remotely. This affects Flexy devices before firmware 15.0s4 and Cosy+ devices before 22.1s6 (22.x branch) or 23.0s3 (23.x branch). With a CVSS score of 8.8 but low EPSS of 0.06%, this vulnerability requires valid credentials but enables full system compromise.
Technical ContextAI
The vulnerability stems from improper input sanitization in OS command execution (CWE-94), allowing attackers to inject malicious commands through user-controlled input. HMS Networks Ewon devices are industrial IoT gateways used for remote access and monitoring of industrial equipment. The affected products include Ewon Flexy 205 (identified via reference URL) and Cosy+ models. These devices typically bridge OT and IT networks, making them critical security boundaries in industrial environments.
Affected ProductsAI
HMS Networks Ewon Flexy (all models) with firmware versions before 15.0s4; HMS Networks Cosy+ with firmware 22.xx before version 22.1s6; HMS Networks Cosy+ with firmware 23.xx before version 23.0s3. The Flexy 205 model is specifically referenced in the advisory links. Industrial facilities using these devices for remote access should verify their firmware versions immediately.
RemediationAI
Update to patched firmware versions: Ewon Flexy to 15.0s4 or later, Cosy+ 22.x branch to 22.1s6 or later, Cosy+ 23.x branch to 23.0s3 or later. HMS Networks has published a security advisory (dated 2026-03-09) with detailed patching instructions. As an interim mitigation, restrict network access to the devices, implement strong authentication, monitor for suspicious command execution, and disable unnecessary remote access features until patching is complete.
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today