We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-6260

Network Thermostat X-Series WiFi Thermostats Missing Authentication for Critical Function



Description

The embedded web server on the thermostat listed version ranges contain a vulnerability that allows unauthenticated attackers, either on the local area network or from the Internet via a router with port forwarding set up, to gain direct access to the thermostat's embedded web server and reset user credentials by manipulating specific elements of the embedded web interface.

Reserved 2025-06-18 | Published 2025-07-24 | Updated 2025-07-25 | Assigner icscert


CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-306 Missing Authentication for Critical Function

Product status

Default status
unaffected

v4.5 before 4.6
affected

v9.6 before v9.46
affected

v10.1 before v10.29
affected

v11.1 before v11.5
affected

Credits

Souvik Kandar reported this vulnerability to CISA. finder

References

www.cisa.gov/news-events/ics-advisories/icsa-25-205-02

cve.org (CVE-2025-6260)

nvd.nist.gov (CVE-2025-6260)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-6260

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.