CVE-2026-25817

HIGH

HMS Networks Ewon Flexy <15.0s4 - RCE

Title source: llm

Description

HMS Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6, and Cosy+ with firmware 23.xx before 23.0s3 have improper neutralization of special elements used in an OS command allowing remote code execution by attackers with low privilege access on the gateway, provided the attacker has credentials.

References (2)

Core 2

Core References

Various Sources

https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2026-03-09-001---ewon-several-flexy-and-cosy--vulnerabilities.pdf?sfvrsn=f7c027b8_13

Various Sources

https://www.hms-networks.com/p/flexy20500-00ma-ewon-flexy-205

Scores

CVSS v3 8.8

EPSS 0.0079

EPSS Percentile 51.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Published Mar 13, 2026

Tracked Since Mar 14, 2026