Home

Description

The embedded web server on the thermostat listed version ranges contain a vulnerability that allows unauthenticated attackers, either on the local area network or from the Internet via a router with port forwarding set up, to gain direct access to the thermostat's embedded web server and reset user credentials by manipulating specific elements of the embedded web interface.

PUBLISHED Reserved 2025-06-18 | Published 2025-07-24 | Updated 2025-07-25 | Assigner icscert




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-306 Missing Authentication for Critical Function

Product status

Default status
unaffected

v4.5 (custom) before 4.6
affected

v9.6 (custom) before v9.46
affected

v10.1 (custom) before v10.29
affected

v11.1 (custom) before v11.5
affected

Credits

Souvik Kandar reported this vulnerability to CISA. finder

References

www.cisa.gov/news-events/ics-advisories/icsa-25-205-02

cve.org (CVE-2025-6260)

nvd.nist.gov (CVE-2025-6260)

Download JSON