CVE-2025-14750
published 2026-01-22CVE-2025-14750: The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable. A low-privileged user can…
PriorityP350high8.7CVSS 4.0
AVNACLATNPRLUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.32%
23.1th percentile
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable. A low-privileged user can modify the parameters and potentially manipulate account-level privileges.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| weintek | cmt-ctrl01 | >= 20230308 < 20250827 | 20250827 |
| weintek | cmt-svrx-820 | >= 20220413 < 20240919 | 20240919 |
| weintek | cmt3072xh | >= 20200630 < 20241112 | 20241112 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Weintek cMT X Series HMI EasyWeb Service
cisa_ics·2026-01-22·CVSS 8.7
[HIGH] Weintek cMT X Series HMI EasyWeb Service
ICS Advisory
##
Weintek cMT X Series HMI EasyWeb Service
Release DateJanuary 22, 2026
Alert CodeICSA-26-022-05
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
Successful exploitation of these vulnerabilities could allow a low-level user to alter privileges and gain full control to the device.
The following versions of Weintek cMT X Series HMI EasyWeb Service are affected:
- cMT3072XH (CVE-2025-14750, CVE-2025-14751)
- cMT3072XH(T) (CVE-2025-14750, CVE-2025-14751)
- cMT-SVRX-820 (CVE-2025-14750, CVE-2025-14751)
- cMT-CTRL01 (CVE-2025-14750, CVE-2025-14751)
CVSS
Vendor
Equipment
Vulnerabilities
| v3 8.3
| Weintek
| Weintek cMT X Series HMI EasyWeb Service
| External Control of Assumed-Immutable W
GHSA
GHSA-hfxh-j63h-2qhw: The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable
ghsa_unreviewed·2026-01-23
CVE-2025-14750 [HIGH] CWE-472 GHSA-hfxh-j63h-2qhw: The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable. A low-privileged user can modify the parameters and potentially manipulate account-level privileges.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-01-22
Published