cbcvebase.
CVE-2025-6260
published 2025-07-24

CVE-2025-6260: The embedded web server on the thermostat listed version ranges contain a vulnerability that allows unauthenticated attackers, either on the local area network…

PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.46%
36.7th percentile
The embedded web server on the thermostat listed version ranges contain a vulnerability that allows unauthenticated attackers, either on the local area network or from the Internet via a router with port forwarding set up, to gain direct access to the thermostat's embedded web server and reset user credentials by manipulating specific elements of the embedded web interface.

Affected

4 ranges
VendorProductVersion rangeFixed in
network_thermostatx-series_wifi_thermostats>= v10.1 < v10.29v10.29
network_thermostatx-series_wifi_thermostats>= v11.1 < v11.5v11.5
network_thermostatx-series_wifi_thermostats>= v4.5 < 4.64.6
network_thermostatx-series_wifi_thermostats>= v9.6 < v9.46v9.46

Detection & IOCsextracted from sources · hover to see the quote

  • Target is the embedded web server on Network Thermostat X-Series WiFi thermostats; look for unauthenticated HTTP requests that manipulate credential-reset elements of the web interface without any authentication headers or session tokens
  • Devices exposed directly to the internet (port-forwarded) are reachable remotely; monitor for inbound unauthenticated HTTP traffic to thermostat management interfaces from external IPs
  • ·Vulnerable devices that are internet-reachable (port-forwarded) are exposed to remote unauthenticated exploitation; devices behind firewalls with no inbound port forwarding have a reduced but not eliminated attack surface (LAN-side attack still possible)
  • ·Patched firmware was pushed automatically to internet-reachable units; units behind firewalls did NOT receive the automatic update and remain vulnerable until manually updated via vendor coordination
  • ·No known public exploitation of this vulnerability had been reported to CISA at time of advisory publication (July 24, 2025)

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.