CVE-2018-25396
Credential Disclosure in Heatmiser Wifi Thermostat
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| heatmiser | wifi_thermostat | 1.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-256 | The product stores a password in plaintext within resources such as memory or files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Heatmiser Wifi Thermostat version 1.7 contains a credential disclosure vulnerability that allows unauthenticated attackers to retrieve administrative credentials.
Attackers can exploit this vulnerability by accessing the networkSetup.htm page on the device. By requesting this endpoint, they can extract plaintext username and password values from HTML form fields.
This grants attackers administrative access to the thermostat without needing any prior authentication.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized administrative access to your Heatmiser Wifi Thermostat.
An attacker who exploits this flaw can control the thermostat settings, potentially disrupting heating or cooling schedules.
Since the credentials are disclosed in plaintext, it poses a significant security risk, allowing attackers to manipulate the device remotely without any authentication.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending an HTTP request to the networkSetup.htm page of the Heatmiser Wifi Thermostat device and inspecting the response for plaintext administrative credentials.
A simple way to check is to use curl or wget commands targeting the device's IP address on port 80 (or 8081 if needed) to retrieve the networkSetup.htm page and look for username and password fields in the HTML response.
- curl http://<device-ip>/networkSetup.htm
- wget -qO- http://<device-ip>/networkSetup.htm
If the response contains plaintext username and password values in the HTML form fields, the device is vulnerable.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to retrieve administrative credentials in plaintext, which can lead to unauthorized access to the device.
Such unauthorized access and credential disclosure could potentially violate data protection and security requirements outlined in standards like GDPR and HIPAA, which mandate protection of sensitive information and secure access controls.
However, the provided information does not explicitly discuss the impact on compliance with these or other regulations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the credential disclosure vulnerability in Heatmiser Wifi Thermostat version 1.7, immediate steps include restricting network access to the device's web interface, especially the networkSetup.htm page, to trusted users only.
If possible, disable or block access to the networkSetup.htm endpoint to prevent unauthenticated attackers from retrieving administrative credentials.
Change the default or existing administrative credentials after securing access to prevent unauthorized use of disclosed credentials.
Monitor network traffic for suspicious requests to the networkSetup.htm page and consider isolating the thermostat on a separate network segment.
Check for any available firmware updates or patches from Heatmiser that address this vulnerability and apply them as soon as possible.