A cross‑site request forgery flaw in the admin UI of EZCast Pro II dongle firmware version 1.17478.146 allows an attacker to bypass authorization checks and gain full access to the administrative interface. The vulnerability is exploited by tricking a browser that has authenticated to the device into submitting privileged requests, thereby providing the attacker with the same level of control as a legitimate administrator. The impact is the ability to modify device settings, add or remove remote endpoints, and potentially change firmware or network configuration, compromising the integrity and availability of the device.

Affected systems include Nimbletech EZCast Pro II wireless dongles running firmware 1.17478.146. This applies to the hardware dongle as well as the boxed product that contains the same firmware. No other firmware versions are listed as affected in the CNA data, so the risk is confined to devices that have not yet been updated beyond version 1.17478.146.

The CVSS score of 6.8 classifies this flaw as a moderate severity vulnerability with a moderate impact and the risk of exploitation depends on the device’s exposure. The EPSS score of less than 1 % indicates a very low likelihood of real-world exploitation, and the vulnerability is not currently listed in the CISA KEV catalog, further reducing the urgency of immediate action for most environments. The likely attack vector is an on‑network or via a local administrator’s browser; an attacker would need to persuade or trick the admin user to perform a request while authenticated, or otherwise leverage an existing authenticated session. Because CSRF controls are missing, the attacker can submit arbitrary administrative requests without re‑authentication.