CVE-2019-25708

MEDIUM

Heatmiser Wifi Thermostat 1.7 Cross-Site Request Forgery

Title source: cna

Description

Heatmiser Wifi Thermostat 1.7 contains a cross-site request forgery vulnerability that allows attackers to change administrator credentials by tricking authenticated users into submitting malicious requests. Attackers can craft HTML forms targeting the networkSetup.htm endpoint with parameters usnm, usps, and cfps to modify the admin username and password without user consent.

Exploits (1)

exploitdb WORKING POC

by SajjadBnd · textwebappshardware

https://www.exploit-db.com/exploits/46100

View Code ZIP pw:eip

References (2)

Core 2

Core References

Exploit exploit

ExploitDB-46100

https://www.exploit-db.com/exploits/46100

Third Party Advisory third-party-advisory

VulnCheck Advisory: Heatmiser Wifi Thermostat 1.7 Cross-Site Request Forgery

https://www.vulncheck.com/advisories/heatmiser-wifi-thermostat-cross-site-request-forgery

Scores

CVSS v3 4.3

EPSS 0.0001

EPSS Percentile 0.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-352

Status published

Products (2)

Heatmiser/Heatmiser Wifi Thermostat 1.7

heatmiser/wifi_thermostat 1.7

Published Apr 12, 2026

Tracked Since Apr 12, 2026