Thermostat Embedded Web Server Vulnerability Exposes User Credentials
CVE-2025-6260

9.3CRITICAL

Key Information:

Vendor: Network Thermostat
Status: X-series Wifi Thermostats
Vendor: CVE Published:; 24 July 2025

🔔 Create Network Thermostat Vulnerability Alert

What is CVE-2025-6260?

The embedded web server on certain smart thermostat models is susceptible to unauthorized access, allowing attackers on the local network or the Internet to manipulate the device's web interface. This vulnerability enables intruders to reset user credentials without requiring authentication, posing significant security risks for users. Effective countermeasures must be taken to ensure the integrity of the device and protect sensitive user information.

Affected Version(s)

X-Series WiFi thermostats v4.5 < 4.6

X-Series WiFi thermostats v9.6

X-Series WiFi thermostats v10.1

References

https://www.cisa.gov/news-events/ics-advisories/icsa-25-2...

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 24, 2025
Vulnerability Reserved
Jun 18, 2025

Credit

Souvik Kandar reported this vulnerability to CISA.