CVE-2025-6260
9.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
The embedded web server on the thermostat listed version ranges contain a vulnerability that allows unauthenticated attackers, either on the local area network or from the Internet via a router with port forwarding set up, to gain direct access to the thermostat's embedded web server and reset user credentials by manipulating specific elements of the embedded web interface.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Network Thermostat | X-Series WiFi thermostats | v4.5 < 4.6 | affected |
| Network Thermostat | X-Series WiFi thermostats | v9.6 < v9.46 | affected |
| Network Thermostat | X-Series WiFi thermostats | v10.1 < v10.29 | affected |
| Network Thermostat | X-Series WiFi thermostats | v11.1 < v11.5 | affected |
Weaknesses
- CWE-306: CWE-306 Missing Authentication for Critical Function
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.