CVE-2026-25818
Published: 13 March 2026
Summary
CVE-2026-25818 is a critical-severity Cleartext Storage of Sensitive Information in a Cookie (CWE-315) vulnerability in Windows (inferred from references). Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Password Cracking (T1110.002); ranked at the 3.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-8 (Transmission Confidentiality and Integrity) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-25818 is a vulnerability in HMS Networks Ewon Flexy devices running firmware before version 15.0s4, Cosy+ devices with firmware 22.xx before 22.1s6, and Cosy+ devices with firmware 23.xx before 23.0s3. It arises from weak entropy in authentication cookies, which allows an attacker with a stolen session cookie to brute-force an encryption parameter and recover the associated user password. The issue is classified under CWE-315 and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
The vulnerability can be exploited by any unauthenticated attacker with network access who obtains a valid session cookie from a targeted device, such as through network interception if sessions are not protected by TLS or via other cookie theft vectors. Successful exploitation enables high-impact confidentiality and integrity violations, specifically allowing the attacker to derive the plaintext user password through feasible brute-force attacks on the weakly randomized encryption parameter, potentially granting full administrative access depending on the compromised account.
Mitigation requires updating affected devices to the fixed firmware versions: Ewon Flexy to 15.0s4 or later, Cosy+ 22.xx to 22.1s6 or later, and Cosy+ 23.xx to 23.0s3 or later. Detailed remediation guidance is provided in the HMS Networks security advisory (https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2026-03-09-001---ewon-several-flexy-and-cosy--vulnerabilities.pdf?sfvrsn=f7c027b8_13) and product documentation (https://www.hms-networks.com/p/flexy20500-00ma-ewon-flexy-205).
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11711
Vulnerability details
HMS Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6, and Cosy+ with firmware 23.xx before 23.0s3 have weak entropy for authentication cookies, allowing an attacker with a stolen session cookie to find the user password…
more
by brute-forcing an encryption parameter.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Weak entropy directly enables feasible brute-force cracking of the encryption parameter to recover plaintext passwords from stolen session cookies (T1110.002); recovered credentials then enable authentication as valid accounts for administrative access (T1078).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the CVE by requiring timely flaw remediation through firmware updates that fix the weak entropy in authentication cookies.
Prevents theft of session cookies over the network by enforcing transmission confidentiality and integrity, such as TLS protection.
Requires management of authenticators, including session cookies, to ensure sufficient strength and entropy against brute-force recovery of user passwords.