CVE-2025-6260
published 2025-07-24CVE-2025-6260: The embedded web server on the thermostat listed version ranges contain a vulnerability that allows unauthenticated attackers, either on the local area network…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.46%
36.7th percentile
The embedded web server on the thermostat listed version ranges contain a vulnerability that allows unauthenticated attackers, either on the local area network or from the Internet via a router with port forwarding set up, to gain direct access to the thermostat's embedded web server and reset user credentials by manipulating specific elements of the embedded web interface.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| network_thermostat | x-series_wifi_thermostats | >= v10.1 < v10.29 | v10.29 |
| network_thermostat | x-series_wifi_thermostats | >= v11.1 < v11.5 | v11.5 |
| network_thermostat | x-series_wifi_thermostats | >= v4.5 < 4.6 | 4.6 |
| network_thermostat | x-series_wifi_thermostats | >= v9.6 < v9.46 | v9.46 |
Detection & IOCsextracted from sources · hover to see the quote
- →Target is the embedded web server on Network Thermostat X-Series WiFi thermostats; look for unauthenticated HTTP requests that manipulate credential-reset elements of the web interface without any authentication headers or session tokens ↗
- →Devices exposed directly to the internet (port-forwarded) are reachable remotely; monitor for inbound unauthenticated HTTP traffic to thermostat management interfaces from external IPs ↗
- ·Vulnerable devices that are internet-reachable (port-forwarded) are exposed to remote unauthenticated exploitation; devices behind firewalls with no inbound port forwarding have a reduced but not eliminated attack surface (LAN-side attack still possible) ↗
- ·Patched firmware was pushed automatically to internet-reachable units; units behind firewalls did NOT receive the automatic update and remain vulnerable until manually updated via vendor coordination ↗
- ·No known public exploitation of this vulnerability had been reported to CISA at time of advisory publication (July 24, 2025) ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wj97-j26v-v8wp: The embedded web server on the thermostat listed version ranges contain a vulnerability that allows unauthenticated attackers, either on the local are
ghsa_unreviewed·2025-07-24
CVE-2025-6260 [CRITICAL] CWE-306 GHSA-wj97-j26v-v8wp: The embedded web server on the thermostat listed version ranges contain a vulnerability that allows unauthenticated attackers, either on the local are
The embedded web server on the thermostat listed version ranges contain a vulnerability that allows unauthenticated attackers, either on the local area network or from the Internet via a router with port forwarding set up, to gain direct access to the thermostat's embedded web server and reset user credentials by manipulating specific elements of the embedded web interface.
CISA ICS
Network Thermostat X-Series WiFi Thermostats
cisa_ics·2025-07-24·CVSS 9.8
[CRITICAL] Network Thermostat X-Series WiFi Thermostats
ICS Advisory
##
Network Thermostat X-Series WiFi Thermostats
Release DateJuly 24, 2025
Alert CodeICSA-25-205-02
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Network Thermostat
- Equipment: X-Series WiFi thermostats
- Vulnerability: Missing Authentication for Critical Function
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to gain full administrative access to the device.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following Network Thermostat product is affected:
- X-Series WiFi thermostats: Versions v4.5 up to but not including v4.6
- X-Serie
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-07-24
Published