CVE-2019-25322
Published: 12 February 2026
Summary
CVE-2019-25322 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Zoneregeling (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 19.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2019-25322 is a hardcoded credentials vulnerability in Heatmiser Netmonitor version 3.03. The flaw exists in the networkSetup.htm page, where the device exposes predictable admin login credentials—username 'admin' and password 'admin'—within hidden form input fields. This issue corresponds to CWE-798 (Use of Hard-coded Credentials) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting high confidentiality impact from network-accessible exploitation.
Any remote attacker with network access to the device can exploit this vulnerability without authentication privileges, user interaction, or elevated complexity. By submitting the hardcoded credentials through the networkSetup.htm page, attackers gain unauthorized administrative access to the Netmonitor device, enabling them to retrieve sensitive configuration data or potentially manipulate device settings.
Advisories and additional resources, including a proof-of-concept exploit, are documented at Vulncheck (https://www.vulncheck.com/advisories/heatmiser-netmonitor-hardcoded-credentials), Exploit-DB (https://www.exploit-db.com/exploits/47823), the Heatmiser Netmonitor manual (https://www.zoneregeling.nl/heatmiser/netmonitor-handleiding.pdf), and an archived Heatmiser site (https://web.archive.org/web/20190724160628/https://www.heatmiser.com/en/). No patches or specific mitigations are outlined in the available description.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19571
Vulnerability details
Heatmiser Netmonitor 3.03 contains a hardcoded credentials vulnerability in the networkSetup.htm page with predictable admin login credentials. Attackers can access the device by using the hard-coded username 'admin' and password 'admin' in the hidden form input fields.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded default admin credentials ('admin'/'admin') exposed in web interface directly enable use of default accounts for unauthorized remote administrative access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
IA-5 requires secure management of authenticators including changing defaults and prohibiting hardcoded credentials like the exposed 'admin/admin' pair.
AC-2 mandates account management processes to identify, disable, and review default accounts with predictable hardcoded credentials.
SI-2 ensures identification, reporting, and remediation of software flaws such as hardcoded credentials to prevent unauthorized admin access.