CVE-2026-25819
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
HMS Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6, and Cosy+ with firmware 23.xx before 23.0s3 allows unauthenticated attackers to cause a Denial of Service by using a specially crafted HTTP request that leads to a reboot of the device, provided they have access to the device's GUI.
AnalysisAI
CVE-2026-25819 is an unauthenticated denial of service vulnerability affecting HMS Networks Ewon industrial IoT gateways (Flexy and Cosy+ models) that allows remote attackers to reboot devices through specially crafted HTTP requests to the web GUI. With a CVSS score of 7.5 (High) but low EPSS score (0.02%), this vulnerability has not been added to CISA KEV and shows minimal exploitation activity in the wild.
Technical ContextAI
This vulnerability affects HMS Networks' industrial IoT gateway products used for remote monitoring and control of industrial equipment. The root cause is improper resource management (CWE-400) in the device's web server, where specially crafted HTTP requests can trigger uncontrolled resource consumption leading to device reboot. Affected versions include Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6, and Cosy+ with firmware 23.xx before 23.0s3. These devices are commonly deployed in industrial environments for remote access to PLCs and other automation equipment.
Affected ProductsAI
HMS Networks Ewon Flexy (all models) with firmware versions before 15.0s4; HMS Networks Ewon Cosy+ with firmware 22.xx series before version 22.1s6; HMS Networks Ewon Cosy+ with firmware 23.xx series before version 23.0s3. The vulnerability specifically affects devices where the web GUI interface is accessible to potential attackers.
RemediationAI
Update firmware to patched versions: Ewon Flexy to firmware 15.0s4 or later, Cosy+ firmware 22.xx to version 22.1s6 or later, Cosy+ firmware 23.xx to version 23.0s3 or later. As a workaround, restrict network access to the device GUI interface through firewall rules or VPN requirements. Full details available in HMS Networks security advisory at https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2026-03-09-001---ewon-several-flexy-and-cosy--vulnerabilities.pdf.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today