Description
HMS Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6, and Cosy+ with firmware 23.xx before 23.0s3 allows unauthenticated attackers to cause a Denial of Service by using a specially crafted HTTP request that leads to a reboot of the device, provided they have access to the device's GUI.
Published: 2026-03-12
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

Unauthenticated attackers can send a specially crafted HTTP request to the device’s web interface, causing the device to reboot. This results in a denial of service as the device becomes temporarily unavailable. The flaw is classified as CWE-400, indicating unchecked input leading to resource exhaustion.

Affected Systems

Ewon Flexy devices running firmware versions earlier than 15.0s4 and Cosy+ devices running firmware 22.xx before 22.1s6 or firmware 23.xx before 23.0s3 are affected. Attackers need only unauthenticated HTTP access to the GUI.

Risk and Exploitability

The CVSS base score of 7.5 marks the vulnerability as high severity. Its EPSS score is below 1%, suggesting a low current exploitation likelihood, and it is not listed in the CISA KEV catalog. Exploitation requires only network-based HTTP access to the web interface, with no additional credentials required, making the attack vector straightforward for any party with network access to the device.

Generated by OpenCVE AI on March 18, 2026 at 15:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to firmware 15.0s4 or newer on Ewon Flexy devices.
  • Update to firmware 22.1s6 or newer on Cosy+ devices running 22.xx.
  • Update to firmware 23.0s3 or newer on Cosy+ devices running 23.xx.
  • If updates cannot be applied, restrict or block GUI access with a firewall or network segmentation.

Generated by OpenCVE AI on March 18, 2026 at 15:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Request Denial of Service on HMS Networks Devices

Fri, 13 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Hms-networks
Hms-networks ewon Cosy
Hms-networks ewon Flexy
Vendors & Products Hms-networks
Hms-networks ewon Cosy
Hms-networks ewon Flexy

Thu, 12 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description HMS Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6, and Cosy+ with firmware 23.xx before 23.0s3 allows unauthenticated attackers to cause a Denial of Service by using a specially crafted HTTP request that leads to a reboot of the device, provided they have access to the device's GUI.
References

Subscriptions

Hms-networks Ewon Cosy Ewon Flexy
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-13T13:00:16.705Z

Reserved: 2026-02-06T00:00:00.000Z

Link: CVE-2026-25819

cve-icon Vulnrichment

Updated: 2026-03-13T13:00:09.762Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:27.627

Modified: 2026-03-16T14:54:11.293

Link: CVE-2026-25819

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:36:31Z

Weaknesses