CVE-2026-25817

HighRCEUpdated

Published: 13 March 2026

Published

13 March 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0039 60.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25817 is a high-severity Code Injection (CWE-94) vulnerability in Windows (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 39.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation of Remote Services (T1210) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents command injection by requiring validation and sanitization of inputs containing special elements used in OS commands.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation through firmware updates that address the specific improper neutralization vulnerability.

AC-6 Least Privilege partial match

prevent

Enforces least privilege to limit the scope and impact of remote code execution achievable by low-privilege attackers.

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

CVE enables remote code execution via OS command injection (CWE-94) with low-privilege credentials, directly facilitating T1210 (Exploitation of Remote Services) for arbitrary code execution on remote gateways and T1068 (Exploitation for Privilege Escalation) from low privileges to high-impact control.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

HMS Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6, and Cosy+ with firmware 23.xx before 23.0s3 have improper neutralization of special elements used in an OS command allowing remote code execution by attackers with low…

privilege access on the gateway, provided the attacker has credentials.

Deeper analysisAI

CVE-2026-25817 is a code injection vulnerability stemming from improper neutralization of special elements used in an OS command (CWE-94), enabling remote code execution. It affects HMS Networks Ewon Flexy gateways running firmware before version 15.0s4, Cosy+ gateways with firmware 22.xx before 22.1s6, and Cosy+ gateways with firmware 23.xx before 23.0s3. Published on 2026-03-13, the flaw carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

An attacker requires low-privilege credentials and access to the gateway to exploit this remotely over the network. With low attack complexity and no user interaction needed, exploitation allows arbitrary code execution on the device, compromising confidentiality, integrity, and availability to a high degree.

The HMS Networks security advisory (2026-03-09-001) addresses this and related vulnerabilities in Ewon Flexy and Cosy+ gateways, recommending firmware updates to version 15.0s4 for Ewon Flexy, 22.1s6 for affected Cosy+ 22.xx firmware, and 23.0s3 for affected Cosy+ 23.xx firmware as the primary mitigation. Further details are available in the advisory PDF and on the Ewon Flexy product page.