Cyber Resilience

CVE-2019-25322

CriticalPublic PoC

Published: 12 February 2026

Published
12 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0028 19.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2019-25322 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Zoneregeling (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 19.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2019-25322 is a hardcoded credentials vulnerability in Heatmiser Netmonitor version 3.03. The flaw exists in the networkSetup.htm page, where the device exposes predictable admin login credentials—username 'admin' and password 'admin'—within hidden form input fields. This issue corresponds to CWE-798 (Use of Hard-coded Credentials) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting high confidentiality impact from network-accessible exploitation.

Any remote attacker with network access to the device can exploit this vulnerability without authentication privileges, user interaction, or elevated complexity. By submitting the hardcoded credentials through the networkSetup.htm page, attackers gain unauthorized administrative access to the Netmonitor device, enabling them to retrieve sensitive configuration data or potentially manipulate device settings.

Advisories and additional resources, including a proof-of-concept exploit, are documented at Vulncheck (https://www.vulncheck.com/advisories/heatmiser-netmonitor-hardcoded-credentials), Exploit-DB (https://www.exploit-db.com/exploits/47823), the Heatmiser Netmonitor manual (https://www.zoneregeling.nl/heatmiser/netmonitor-handleiding.pdf), and an archived Heatmiser site (https://web.archive.org/web/20190724160628/https://www.heatmiser.com/en/). No patches or specific mitigations are outlined in the available description.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Heatmiser Netmonitor 3.03 contains a hardcoded credentials vulnerability in the networkSetup.htm page with predictable admin login credentials. Attackers can access the device by using the hard-coded username 'admin' and password 'admin' in the hidden form input fields.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Hardcoded default admin credentials ('admin'/'admin') exposed in web interface directly enable use of default accounts for unauthorized remote administrative access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26218Shared CWE-798
CVE-2026-22900Shared CWE-798
CVE-2024-51547Shared CWE-798
CVE-2024-46433Shared CWE-798
CVE-2026-27785Shared CWE-798
CVE-2020-37135Shared CWE-798
CVE-2026-24346Shared CWE-798
CVE-2026-25803Shared CWE-798
CVE-2025-33089Shared CWE-798
CVE-2026-29119Shared CWE-798

Affected Assets

Zoneregeling
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 requires secure management of authenticators including changing defaults and prohibiting hardcoded credentials like the exposed 'admin/admin' pair.

prevent

AC-2 mandates account management processes to identify, disable, and review default accounts with predictable hardcoded credentials.

prevent

SI-2 ensures identification, reporting, and remediation of software flaws such as hardcoded credentials to prevent unauthorized admin access.

References