Description
HMS Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6, and Cosy+ with firmware 23.xx before 23.0s3 have weak entropy for authentication cookies, allowing an attacker with a stolen session cookie to find the user password by brute-forcing an encryption parameter.
Published: 2026-03-12
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access via Credential Disclosure
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the weak entropy used for authentication cookies in certain HMS Networks devices. An attacker who obtains a session cookie can brute‑force the encryption parameter used by the cookie to recover the user password, enabling unauthorized access to the device. This flaw aligns with CWE‑315, which concerns the clear‑text storage or transmission of sensitive information. The impact is the potential compromise of device credentials and subsequent full admin access, resulting in a critical confidentiality and integrity breach.

Affected Systems

HMS Networks Ewon Flexy firmware versions prior to 15.0s4, Cosy+ firmware 22.xx versions earlier than 22.1s6, and Cosy+ firmware 23.xx versions earlier than 23.0s3 are affected. Any device running these specific versions is at risk of the described credential extraction flaw.

Risk and Exploitability

The flaw has a CVSS score of 9.1, indicating a high severity risk. The EPSS score is below 1%, suggesting that exploitation in the wild is low probability, yet the vulnerability is not listed in the CISA KEV catalog. The attack vector requires an attacker to already possess a stolen session cookie. With that cookie, the attacker can brute‑force the weakly generated encryption parameter to discover the user password. Once the password is known, the attacker can gain full administrative control over the device.

Generated by OpenCVE AI on March 18, 2026 at 15:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Ewon Flexy to firmware 15.0s4 or later. Update Cosy+ to firmware 22.1s6 or later if running 22.xx, or to firmware 23.0s3 or later if running 23.xx. Check the official HMS Networks update pages or vendor support for the latest available firmware releases.

Generated by OpenCVE AI on March 18, 2026 at 15:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Title Weak Cookie Entropy Enabling Password Brute‑Force on HMS Networks Ewon Flexy and Cosy+

Fri, 13 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-315
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Hms-networks
Hms-networks ewon Cosy
Hms-networks ewon Flexy
Vendors & Products Hms-networks
Hms-networks ewon Cosy
Hms-networks ewon Flexy

Thu, 12 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description HMS Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6, and Cosy+ with firmware 23.xx before 23.0s3 have weak entropy for authentication cookies, allowing an attacker with a stolen session cookie to find the user password by brute-forcing an encryption parameter.
References

Subscriptions

Hms-networks Ewon Cosy Ewon Flexy
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-13T12:58:56.027Z

Reserved: 2026-02-06T00:00:00.000Z

Link: CVE-2026-25818

cve-icon Vulnrichment

Updated: 2026-03-13T12:58:51.647Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:27.353

Modified: 2026-03-16T14:54:11.293

Link: CVE-2026-25818

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:36:32Z

Weaknesses