Ghostwire

CVE-2019-25708: Heatmiser Wifi Thermostat 1.7 contains a cross-site request forgery vulnerability that allows attackers to change...

MEDIUM CVSS 4.3 Exploit Available

Published: April 12, 2026 | Last Modified: April 12, 2026

Description

Heatmiser Wifi Thermostat 1.7 contains a cross-site request forgery vulnerability that allows attackers to change administrator credentials by tricking authenticated users into submitting malicious requests. Attackers can craft HTML forms targeting the networkSetup.htm endpoint with parameters usnm, usps, and cfps to modify the admin username and password without user consent.

Ghostwire Analysis — What This Means Practically

Medium CVSS score indicates moderate risk — exploitation requires specific conditions or results in limited impact.
Exploit code is reported to be available, increasing the likelihood of active exploitation.

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

CVE-2019-25708: Heatmiser Wifi Thermostat 1.7 contains a cross-site request forgery vulnerability that allows attackers to change...

Description

Ghostwire Analysis — What This Means Practically

Security Coverage (1 articles)

References