Platform
other
Component
heatmiser-wifi-thermostat
Fixed in
1.7.1
CVE-2019-25708 describes a cross-site request forgery (CSRF) vulnerability present in Heatmiser Wifi Thermostat versions 1.7 through 1.7. This flaw allows an attacker to potentially change administrator credentials by tricking authenticated users into unknowingly submitting malicious requests. The vulnerability impacts users who have already authenticated with the device and exposes the administrative interface to unauthorized modification.
The primary impact of CVE-2019-25708 is the potential for unauthorized modification of the Heatmiser Wifi Thermostat's administrative settings. An attacker could leverage this CSRF vulnerability to change the administrator username and password, effectively gaining full control over the device. This could lead to unauthorized access to the thermostat's configuration, potentially allowing manipulation of heating schedules, temperature settings, and other critical functions. The blast radius extends to any user who interacts with the thermostat's web interface while logged in, making them susceptible to the attack. While no direct precedent exists for this specific device, CSRF vulnerabilities are commonly exploited to gain administrative access, similar to scenarios seen in web application attacks.
CVE-2019-25708 was published on 2026-04-12. There is no indication of this vulnerability being actively exploited or listed on CISA KEV. Public proof-of-concept (PoC) code is currently unavailable, suggesting a relatively low probability of immediate exploitation. The vulnerability's impact is dependent on user interaction and the attacker's ability to craft convincing phishing or social engineering attacks.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2019-25708 is to upgrade to a patched version of the Heatmiser Wifi Thermostat firmware. Unfortunately, a fixed version is not explicitly stated in the available information. As a workaround, implementing a Web Application Firewall (WAF) with CSRF protection rules can help prevent malicious requests from being processed. Specifically, WAF rules should be configured to scrutinize requests to the networkSetup.htm endpoint, particularly those containing the usnm, usps, and cfps parameters. Additionally, educating users about the risks of clicking on suspicious links or submitting forms from untrusted sources can reduce the likelihood of exploitation. After applying WAF rules, verify their effectiveness by attempting to submit a crafted CSRF request and confirming it is blocked.
Update the Heatmiser Wifi thermostat firmware to a patched version. Check the manufacturer's website or contact technical support for specific instructions on how to update the firmware and mitigate the risk of CSRF attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-25708 is a cross-site request forgery (CSRF) vulnerability affecting Heatmiser Wifi Thermostat versions 1.7–1.7, allowing attackers to potentially change admin credentials.
If you are using Heatmiser Wifi Thermostat version 1.7–1.7 and access the device's web interface, you are potentially affected by this vulnerability.
Upgrade to a patched firmware version is recommended. As no fixed version is available, implement WAF rules to protect the networkSetup.htm endpoint.
There is currently no public evidence of CVE-2019-25708 being actively exploited, but the potential remains due to the nature of CSRF vulnerabilities.
Please refer to the Heatmiser website or contact their support for the official advisory regarding CVE-2019-25708.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.