CVE-2026-25817
Received Received - Intake
OS Command Injection in HMS Networks Ewon Flexy and Cosy

Publication date: 2026-03-13

Last updated on: 2026-03-13

Assigner: MITRE

Description
HMS Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6, and Cosy+ with firmware 23.xx before 23.0s3 have improper neutralization of special elements used in an OS command allowing remote code execution by attackers with low privilege access on the gateway, provided the attacker has credentials.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25817
EUVD
EUVD-2026-11709
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
hms_networks ewon_flexy to 15.0s4 (exc)
hms_networks cosy to 22.1s6 (exc)
hms_networks cosy to 23.0s3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects HMS Networks Ewon Flexy and Cosy+ devices with certain firmware versions before specified updates. It involves improper neutralization of special elements used in an operating system command, which allows attackers with low privilege access and valid credentials on the gateway to execute remote code.

Impact Analysis

The vulnerability can lead to remote code execution by attackers who have low privilege access and credentials to the affected gateway devices. This means an attacker could potentially take control of the device, leading to full compromise of confidentiality, integrity, and availability of the system.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the firmware of your HMS Networks Ewon Flexy and Cosy+ devices to the fixed versions.

  • For Ewon Flexy, upgrade to firmware version 15.0s4 or later.
  • For Cosy+ devices with firmware 22.xx, upgrade to version 22.1s6 or later.
  • For Cosy+ devices with firmware 23.xx, upgrade to version 23.0s3 or later.

Ensure that only authorized users with proper credentials have access to the gateway, as the vulnerability requires attacker credentials.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25817. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart