Cyber Posture

CVE-2026-25817

High

Published: 13 March 2026

Published
13 March 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0034 56.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

HMS Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6, and Cosy+ with firmware 23.xx before 23.0s3 have improper neutralization of special elements used in an OS command allowing remote code execution by attackers with low…

more

privilege access on the gateway, provided the attacker has credentials.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents command injection by requiring validation and sanitization of inputs containing special elements used in OS commands.

SI-2 Flaw Remediation good match
prevent

Mandates timely flaw remediation through firmware updates that address the specific improper neutralization vulnerability.

AC-6 Least Privilege partial match
prevent

Enforces least privilege to limit the scope and impact of remote code execution achievable by low-privilege attackers.

Security SummaryAI

CVE-2026-25817 is a code injection vulnerability stemming from improper neutralization of special elements used in an OS command (CWE-94), enabling remote code execution. It affects HMS Networks Ewon Flexy gateways running firmware before version 15.0s4, Cosy+ gateways with firmware 22.xx before 22.1s6, and Cosy+ gateways with firmware 23.xx before 23.0s3. Published on 2026-03-13, the flaw carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

An attacker requires low-privilege credentials and access to the gateway to exploit this remotely over the network. With low attack complexity and no user interaction needed, exploitation allows arbitrary code execution on the device, compromising confidentiality, integrity, and availability to a high degree.

The HMS Networks security advisory (2026-03-09-001) addresses this and related vulnerabilities in Ewon Flexy and Cosy+ gateways, recommending firmware updates to version 15.0s4 for Ewon Flexy, 22.1s6 for affected Cosy+ 22.xx firmware, and 23.0s3 for affected Cosy+ 23.xx firmware as the primary mitigation. Further details are available in the advisory PDF and on the Ewon Flexy product page.

Details

CWE(s)
CWE-94

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

CVE enables remote code execution via OS command injection (CWE-94) with low-privilege credentials, directly facilitating T1210 (Exploitation of Remote Services) for arbitrary code execution on remote gateways and T1068 (Exploitation for Privilege Escalation) from low privileges to high-impact control.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References