CVE-2011-4837

HomeSeer HS2 2.5.0.20 - Cross-Site Request Forgery in Web Interface

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2011-4837. PoCs published by Silent_Dream.

AI-analyzed exploit summary The exploit demonstrates a directory traversal vulnerability to retrieve sensitive configuration files and a CSRF vulnerability to add an admin user in HomeSeer Home Automation Software.

Description

Cross-site request forgery (CSRF) vulnerability in /ctrl in the web interface in HomeSeer HS2 2.5.0.20 allows remote attackers to hijack the authentication of admins for requests that execute arbitrary programs.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Silent_Dream · textwebappswindows

https://www.exploit-db.com/exploits/18567

View Code ZIP pw:eip

The exploit demonstrates a directory traversal vulnerability to retrieve sensitive configuration files and a CSRF vulnerability to add an admin user in HomeSeer Home Automation Software.

Classification

Working Poc 100%

Attack Type

Info Leak | Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: HomeSeer Home Automation Software 2.5.0.49

No auth needed

Prerequisites: Network access to the target system · Victim interaction for CSRF

MITRE ATT&CK

T1005 - Data from Local System T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

US Government Resource third-party-advisory x_refsource_cert-vn

http://www.kb.cert.org/vuls/id/796883

Scores

EPSS 0.0207

EPSS Percentile 79.0%

Details

CWE

CWE-352

Status published

Products (1)

homeseer/homeseer_hs2 2.5.0.20

Published Dec 15, 2011

Tracked Since Feb 18, 2026