CVE-2026-25818 is a critical vulnerability identified in HMS Networks Ewon Flexy devices running firmware versions prior to 15.0s4, and Cosy+ devices with firmware 22.xx before 22.1s6 and 23.xx before 23.0s3. The vulnerability arises from weak entropy used in generating authentication cookies, which are essential for session management. An attacker who has already obtained a stolen session cookie can exploit this weakness by brute-forcing an encryption parameter related to the cookie, ultimately recovering the user’s password. This attack vector does not require any privileges or user interaction and can be executed remotely over the network, making it highly accessible to threat actors. The vulnerability is classified under CWE-315, which concerns the improper protection of sensitive information. The weakness compromises confidentiality and integrity by exposing user credentials, potentially allowing unauthorized access to critical industrial control systems or remote access gateways. Although no exploits have been reported in the wild yet, the high CVSS score of 9.1 reflects the severity and ease of exploitation. The affected devices are widely used in industrial automation and remote monitoring, making this vulnerability particularly concerning for sectors relying on secure remote connectivity and control. Currently, no official patches are linked, so organizations must monitor vendor advisories closely and apply updates promptly once available.

The vulnerability poses a critical risk to organizations using HMS Networks Ewon Flexy and Cosy+ devices, especially in industrial automation, manufacturing, and remote monitoring environments. Successful exploitation allows attackers to recover user passwords from stolen session cookies, leading to unauthorized access to sensitive control systems. This can result in data breaches, manipulation of industrial processes, and potential disruption of operational technology environments. The compromise of authentication credentials undermines trust in remote access security and can facilitate lateral movement within networks. Given the devices’ role in critical infrastructure and industrial control systems, the impact extends beyond IT to operational technology, increasing the risk of physical damage or safety incidents. The lack of required privileges or user interaction lowers the barrier for attackers, increasing the likelihood of exploitation. Organizations worldwide relying on these devices face potential exposure to espionage, sabotage, or ransomware attacks targeting industrial environments.

Organizations should immediately inventory their HMS Networks Ewon Flexy and Cosy+ devices to identify affected firmware versions. Until patches are released, implement network segmentation to isolate these devices from general IT networks and restrict access to trusted administrators only. Enforce strong monitoring of network traffic for anomalous session cookie usage or brute-force attempts. Employ multi-factor authentication where possible to reduce reliance on password secrecy alone. Use VPNs or secure tunnels with additional encryption layers to protect session data in transit. Regularly rotate user credentials and invalidate session cookies after short durations to limit exposure. Coordinate closely with HMS Networks for timely firmware updates and apply patches as soon as they become available. Conduct security awareness training for staff managing these devices to recognize potential indicators of compromise. Consider deploying intrusion detection systems tailored to industrial protocols to detect exploitation attempts early.