CVE-2019-25708 MEDIUM

CVE-2019-25708: Heatmiser Wifi Thermostat 1.7 Cross-Site Request Forgery

Vendor Heatmiser
Product Heatmiser Wifi Thermostat
Weakness CWE-352 · CSRF
Published April 12, 2026
Last update April 13, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

What the vulnerability does

01Description

Heatmiser Wifi Thermostat 1.7 contains a cross-site request forgery vulnerability that allows attackers to change administrator credentials by tricking authenticated users into submitting malicious requests. Attackers can craft HTML forms targeting the networkSetup.htm endpoint with parameters usnm, usps, and cfps to modify the admin username and password without user consent.

Key dates

02Disclosure timeline

April 12, 2026 CVE published
April 13, 2026 Record updated