NimbleTech EZCast Pro II Admin UI CSRF Vulnerability (CVE-2026-24345) Advisory

Critical Vulnerability Information Vulnerability Name: Cross-Site Request Forgery in Admin UI of EZCast Pro II Vulnerability ID: - NTCF: NTCF-2025-32832 - CVE: CVE-2026-24345 Affected Product: EZCast Pro II Vendor: NimbleTech Severity: Medium Discovery Date: 2025-07-14 Vulnerability Status: Pending Disclosure Status: Public Affected Versions: All versions, tested version: 1.17478.146 Vulnerability Description Since no patch has been provided by the vendor, users are strongly advised to follow the relevant warnings issued by the National Cyber Security Centre (NCSC). Until firmware patches are available, users should take the following immediate actions: - Disconnect the dongle from the local network. - Strictly limit access to the access point functionality to minimize the attack surface. - Change default passwords. Disclosure Policy In compliance with the NTC Vulnerability Disclosure Policy, technical details of this vulnerability will not be publicly disclosed. Further details are available on a case-by-case basis. Please submit your request via the contact form and explain your need. Acknowledgments NTC thanks Redguard AG for their valuable contribution in sharing this vulnerability information. Timeline 2025-02-09: Vendor unresponsive despite multiple requests for status updates. 2025-02-09: Escalation to NCSC 2025-07-14: Initial discovery 2025-07-16: First contact with vendor 2025-07-25: Private disclosure to vendor 2026-01-26: Public disclosure References CVE-2026-24345 NCSC CVD case

Goal Reached Thanks to every supporter — we hit 100%!

NimbleTech EZCast Pro II Admin UI CSRF Vulnerability (CVE-2026-24345) Advisory