CVE-2025-6260

Summary

The embedded web server on the thermostat listed version ranges contain a vulnerability that allows unauthenticated attackers, either on the local area network or from the Internet via a router with port forwarding set up, to gain direct access to the thermostat's embedded web server and reset user credentials by manipulating specific elements of the embedded web interface.

Affected Software

VendorProductVersion RangeStatus
Network ThermostatX-Series WiFi thermostatsv4.5 < 4.6affected
Network ThermostatX-Series WiFi thermostatsv9.6 < v9.46affected
Network ThermostatX-Series WiFi thermostatsv10.1 < v10.29affected
Network ThermostatX-Series WiFi thermostatsv11.1 < v11.5affected

Weaknesses

  • CWE-306: CWE-306 Missing Authentication for Critical Function

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References