CVE-2019-25708

MEDIUM

Heatmiser Wifi Thermostat 1.7 Cross-Site Request Forgery

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25708. PoCs published by SajjadBnd.

AI-analyzed exploit summary This is a functional CSRF exploit for Heatmiser Wifi Thermostat 1.7, allowing an attacker to change admin credentials via a crafted HTML form. The exploit leverages the lack of CSRF protection in the device's web interface.

Description

Heatmiser Wifi Thermostat 1.7 contains a cross-site request forgery vulnerability that allows attackers to change administrator credentials by tricking authenticated users into submitting malicious requests. Attackers can craft HTML forms targeting the networkSetup.htm endpoint with parameters usnm, usps, and cfps to modify the admin username and password without user consent.

Exploits (1)

exploitdb WORKING POC
by SajjadBnd · textwebappshardware
https://www.exploit-db.com/exploits/46100

This is a functional CSRF exploit for Heatmiser Wifi Thermostat 1.7, allowing an attacker to change admin credentials via a crafted HTML form. The exploit leverages the lack of CSRF protection in the device's web interface.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Heatmiser Wifi Thermostat 1.7
No auth needed
Prerequisites: Victim must be authenticated and visit the malicious page
devstral-2 · analyzed Apr 12, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit exploit
ExploitDB-46100
https://www.exploit-db.com/exploits/46100
Third Party Advisory third-party-advisory
VulnCheck Advisory: Heatmiser Wifi Thermostat 1.7 Cross-Site Request Forgery
https://www.vulncheck.com/advisories/heatmiser-wifi-thermostat-cross-site-request-forgery

Scores

CVSS v3 4.3
EPSS 0.0013
EPSS Percentile 2.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-352
Status published
Products (2)
Heatmiser/Heatmiser Wifi Thermostat 1.7
heatmiser/wifi_thermostat 1.7
Published Apr 12, 2026
Tracked Since Apr 12, 2026