CVE-2026-25819
Published: 13 March 2026
Summary
CVE-2026-25819 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Windows (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2026-25819 is a denial-of-service vulnerability in HMS Networks Ewon Flexy and Cosy+ devices. It affects Ewon Flexy with firmware versions before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6, and Cosy+ with firmware 23.xx before 23.0s3. The flaw enables unauthenticated attackers to trigger a device reboot using a specially crafted HTTP request, provided they can access the device's GUI. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-400 (Uncontrolled Resource Consumption).
Any unauthenticated attacker with network access to the affected device's GUI can exploit this vulnerability. By sending the crafted HTTP request, they cause an immediate reboot, disrupting device availability and potentially impacting operational technology environments where these industrial gateways are deployed.
The HMS Networks security advisory (https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2026-03-09-001---ewon-several-flexy-and-cosy--vulnerabilities.pdf?sfvrsn=f7c027b8_13) addresses this and related vulnerabilities, recommending firmware updates to version 15.0s4 or later for Ewon Flexy, 22.1s6 or later for Cosy+ 22.xx, and 23.0s3 or later for Cosy+ 23.xx as the primary mitigation. Product details are available at https://www.hms-networks.com/p/flexy20500-00ma-ewon-flexy-205.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11713
Vulnerability details
HMS Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6, and Cosy+ with firmware 23.xx before 23.0s3 allows unauthenticated attackers to cause a Denial of Service by using a specially crafted HTTP request that leads to…
more
a reboot of the device, provided they have access to the device's GUI.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables unauthenticated exploitation of public-facing HTTP GUI (T1190) to trigger resource exhaustion leading to device reboot/crash (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the firmware flaw causing the DoS reboot via timely identification, testing, and deployment of vendor-recommended updates.
Provides denial-of-service protections such as rate limiting and resource controls to block crafted HTTP requests that trigger uncontrolled resource consumption and reboots.
Enforces boundary protections like firewalls to deny unauthenticated network access to the vulnerable device GUI, stopping attackers before they can send the exploit.