Plattform
other
Komponente
heatmiser-wifi-thermostat
Behoben in
1.7.1
CVE-2019-25708 describes a cross-site request forgery (CSRF) vulnerability present in Heatmiser Wifi Thermostat versions 1.7 through 1.7. This flaw allows an attacker to potentially change administrator credentials by tricking authenticated users into unknowingly submitting malicious requests. The vulnerability impacts users who have already authenticated with the device and exposes the administrative interface to unauthorized modification.
The primary impact of CVE-2019-25708 is unauthorized modification of administrator credentials on the Heatmiser Wifi Thermostat. An attacker could craft a malicious HTML form targeting the networkSetup.htm endpoint, manipulating parameters like usnm (username), usps (password), and cfps (confirm password). If a legitimate user visits this crafted page while authenticated, their credentials will be silently updated without their knowledge. This grants the attacker full administrative control over the thermostat, potentially allowing them to alter settings, monitor usage, or even disable the device. The blast radius extends to any system relying on the thermostat for temperature control, potentially impacting comfort and energy efficiency.
CVE-2019-25708 was published on 2026-04-12. There are currently no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog. The relatively low CVSS score (4.3) suggests a moderate level of exploitability, but the lack of public exploits indicates a lower probability of immediate exploitation.
Users of Heatmiser Wifi Thermostat versions 1.7–1.7, particularly those who access the device's web interface directly and are not behind a robust WAF, are at risk. Shared hosting environments where multiple users might access the thermostat's interface are also potentially vulnerable.
Exploit-Status
EPSS
0.01% (2% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2019-25708 is to upgrade the Heatmiser Wifi Thermostat to a patched firmware version as soon as it becomes available. Until an upgrade is possible, implement user awareness training to educate users about the risks of clicking suspicious links or visiting untrusted websites. Consider implementing a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests targeting the networkSetup.htm endpoint. While not a complete solution, this can provide an additional layer of defense. Verify the upgrade by logging into the thermostat with the original administrator credentials after the update to ensure the changes were applied correctly.
Actualice el firmware del termostato Heatmiser Wifi a una versión corregida. Verifique el sitio web del fabricante o contacte con el soporte técnico para obtener instrucciones específicas sobre cómo actualizar el firmware y mitigar el riesgo de ataques CSRF.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2019-25708 is a cross-site request forgery (CSRF) vulnerability affecting Heatmiser Wifi Thermostat versions 1.7–1.7, allowing attackers to potentially change admin credentials.
If you are using Heatmiser Wifi Thermostat version 1.7–1.7 and access the device's web interface, you are potentially affected by this vulnerability.
Upgrade to a patched firmware version is recommended. As no fixed version is available, implement WAF rules to protect the networkSetup.htm endpoint.
There is currently no public evidence of CVE-2019-25708 being actively exploited, but the potential remains due to the nature of CSRF vulnerabilities.
Please refer to the Heatmiser website or contact their support for the official advisory regarding CVE-2019-25708.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.