Cyber Resilience

CVE-2026-25818

Critical

Published: 13 March 2026

Published
13 March 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0014 3.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25818 is a critical-severity Cleartext Storage of Sensitive Information in a Cookie (CWE-315) vulnerability in Windows (inferred from references). Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Cracking (T1110.002); ranked at the 3.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-8 (Transmission Confidentiality and Integrity) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25818 is a vulnerability in HMS Networks Ewon Flexy devices running firmware before version 15.0s4, Cosy+ devices with firmware 22.xx before 22.1s6, and Cosy+ devices with firmware 23.xx before 23.0s3. It arises from weak entropy in authentication cookies, which allows an attacker with a stolen session cookie to brute-force an encryption parameter and recover the associated user password. The issue is classified under CWE-315 and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

The vulnerability can be exploited by any unauthenticated attacker with network access who obtains a valid session cookie from a targeted device, such as through network interception if sessions are not protected by TLS or via other cookie theft vectors. Successful exploitation enables high-impact confidentiality and integrity violations, specifically allowing the attacker to derive the plaintext user password through feasible brute-force attacks on the weakly randomized encryption parameter, potentially granting full administrative access depending on the compromised account.

Mitigation requires updating affected devices to the fixed firmware versions: Ewon Flexy to 15.0s4 or later, Cosy+ 22.xx to 22.1s6 or later, and Cosy+ 23.xx to 23.0s3 or later. Detailed remediation guidance is provided in the HMS Networks security advisory (https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2026-03-09-001---ewon-several-flexy-and-cosy--vulnerabilities.pdf?sfvrsn=f7c027b8_13) and product documentation (https://www.hms-networks.com/p/flexy20500-00ma-ewon-flexy-205).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

HMS Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6, and Cosy+ with firmware 23.xx before 23.0s3 have weak entropy for authentication cookies, allowing an attacker with a stolen session cookie to find the user password…

more

by brute-forcing an encryption parameter.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110.002 Password Cracking Credential Access
Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Weak entropy directly enables feasible brute-force cracking of the encryption parameter to recover plaintext passwords from stolen session cookies (T1110.002); recovered credentials then enable authentication as valid accounts for administrative access (T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Windows
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the CVE by requiring timely flaw remediation through firmware updates that fix the weak entropy in authentication cookies.

prevent

Prevents theft of session cookies over the network by enforcing transmission confidentiality and integrity, such as TLS protection.

prevent

Requires management of authenticators, including session cookies, to ensure sufficient strength and entropy against brute-force recovery of user passwords.

References