CVE-2025-6260 (GCVE-0-2025-6260)

Vulnerability from cvelistv5 – Published: 2025-07-24 20:53 – Updated: 2025-07-25 13:31
VLAI?
Title
Network Thermostat X-Series WiFi Thermostats Missing Authentication for Critical Function
Summary
The embedded web server on the thermostat listed version ranges contain a vulnerability that allows unauthenticated attackers, either on the local area network or from the Internet via a router with port forwarding set up, to gain direct access to the thermostat's embedded web server and reset user credentials by manipulating specific elements of the embedded web interface.
Severity ?
9.3 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-306 - Missing Authentication for Critical Function
Assigner
References
Impacted products
Vendor Product Version
Network Thermostat X-Series WiFi thermostats Affected: v4.5 , < 4.6 (custom)
Affected: v9.6 , < v9.46 (custom)
Affected: v10.1 , < v10.29 (custom)
Affected: v11.1 , < v11.5 (custom)
Create a notification for this product.
Credits
Souvik Kandar reported this vulnerability to CISA.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-6260",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-25T13:31:41.404162Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-25T13:31:50.926Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "X-Series WiFi thermostats",
          "vendor": "Network Thermostat",
          "versions": [
            {
              "lessThan": "4.6",
              "status": "affected",
              "version": "v4.5",
              "versionType": "custom"
            },
            {
              "lessThan": "v9.46",
              "status": "affected",
              "version": "v9.6",
              "versionType": "custom"
            },
            {
              "lessThan": "v10.29",
              "status": "affected",
              "version": "v10.1",
              "versionType": "custom"
            },
            {
              "lessThan": "v11.5",
              "status": "affected",
              "version": "v11.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Souvik Kandar reported this vulnerability to CISA."
        }
      ],
      "datePublic": "2025-07-24T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe embedded web server on the thermostat listed version ranges contain a vulnerability that allows unauthenticated attackers, either on the local area network or from the Internet via a router with port forwarding set up, to gain direct access to the thermostat\u0027s embedded web server and reset user credentials by manipulating specific elements of the embedded web interface.\u003c/span\u003e"
            }
          ],
          "value": "The embedded web server on the thermostat listed version ranges contain a vulnerability that allows unauthenticated attackers, either on the local area network or from the Internet via a router with port forwarding set up, to gain direct access to the thermostat\u0027s embedded web server and reset user credentials by manipulating specific elements of the embedded web interface."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306 Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-24T20:53:17.534Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-205-02"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eNetwork Thermostat recommends users to update to the following (or newer) versions:\u003c/p\u003e\u003cul\u003e\u003cli\u003eX-Series WiFi thermostats with v4.x to a minimum of v4.6\u003c/li\u003e\u003cli\u003eX-Series WiFi thermostats with v9.x to a minimum of v9.46\u003c/li\u003e\u003cli\u003eX-Series WiFi thermostats with v10.x to a minimum of v10.29\u003c/li\u003e\u003cli\u003eX-Series WiFi thermostats with v11.x to a minimum of v11.5\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis update was applied automatically to reachable units, requiring no action from end users.\u003c/p\u003e\u003cp\u003eIf end users would like their units behind firewalls to be updated, contact Network Thermostat at \u003ca target=\"_blank\" rel=\"nofollow\"\u003esupport@networkthermostat.com\u003c/a\u003e\u0026nbsp;to coordinate an update.\u003c/p\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "Network Thermostat recommends users to update to the following (or newer) versions:\n\n  *  X-Series WiFi thermostats with v4.x to a minimum of v4.6\n  *  X-Series WiFi thermostats with v9.x to a minimum of v9.46\n  *  X-Series WiFi thermostats with v10.x to a minimum of v10.29\n  *  X-Series WiFi thermostats with v11.x to a minimum of v11.5\n\n\nThis update was applied automatically to reachable units, requiring no action from end users.\n\nIf end users would like their units behind firewalls to be updated, contact Network Thermostat at support@networkthermostat.com\u00a0to coordinate an update."
        }
      ],
      "source": {
        "advisory": "ICSA-25-205-02",
        "discovery": "EXTERNAL"
      },
      "title": "Network Thermostat X-Series WiFi Thermostats Missing Authentication for Critical Function",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2025-6260",
    "datePublished": "2025-07-24T20:53:17.534Z",
    "dateReserved": "2025-06-18T22:35:45.412Z",
    "dateUpdated": "2025-07-25T13:31:50.926Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-6260\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2025-07-24T21:15:52.447\",\"lastModified\":\"2025-07-25T15:29:19.837\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The embedded web server on the thermostat listed version ranges contain a vulnerability that allows unauthenticated attackers, either on the local area network or from the Internet via a router with port forwarding set up, to gain direct access to the thermostat\u0027s embedded web server and reset user credentials by manipulating specific elements of the embedded web interface.\"},{\"lang\":\"es\",\"value\":\"El servidor web integrado en los rangos de versiones del termostato enumerados contiene una vulnerabilidad que permite a atacantes no autenticados, ya sea en la red de \u00e1rea local o desde Internet a trav\u00e9s de un enrutador con reenv\u00edo de puertos configurado, obtener acceso directo al servidor web integrado del termostato y restablecer las credenciales del usuario manipulando elementos espec\u00edficos de la interfaz web integrada.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"}]}],\"references\":[{\"url\":\"https://www.cisa.gov/news-events/ics-advisories/icsa-25-205-02\",\"source\":\"ics-cert@hq.dhs.gov\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-6260\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-25T13:31:41.404162Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-25T13:31:46.205Z\"}}], \"cna\": {\"title\": \"Network Thermostat X-Series WiFi Thermostats Missing Authentication for Critical Function\", \"source\": {\"advisory\": \"ICSA-25-205-02\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Souvik Kandar reported this vulnerability to CISA.\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 9.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Network Thermostat\", \"product\": \"X-Series WiFi thermostats\", \"versions\": [{\"status\": \"affected\", \"version\": \"v4.5\", \"lessThan\": \"4.6\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"v9.6\", \"lessThan\": \"v9.46\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"v10.1\", \"lessThan\": \"v10.29\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"v11.1\", \"lessThan\": \"v11.5\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Network Thermostat recommends users to update to the following (or newer) versions:\\n\\n  *  X-Series WiFi thermostats with v4.x to a minimum of v4.6\\n  *  X-Series WiFi thermostats with v9.x to a minimum of v9.46\\n  *  X-Series WiFi thermostats with v10.x to a minimum of v10.29\\n  *  X-Series WiFi thermostats with v11.x to a minimum of v11.5\\n\\n\\nThis update was applied automatically to reachable units, requiring no action from end users.\\n\\nIf end users would like their units behind firewalls to be updated, contact Network Thermostat at support@networkthermostat.com\\u00a0to coordinate an update.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eNetwork Thermostat recommends users to update to the following (or newer) versions:\u003c/p\u003e\u003cul\u003e\u003cli\u003eX-Series WiFi thermostats with v4.x to a minimum of v4.6\u003c/li\u003e\u003cli\u003eX-Series WiFi thermostats with v9.x to a minimum of v9.46\u003c/li\u003e\u003cli\u003eX-Series WiFi thermostats with v10.x to a minimum of v10.29\u003c/li\u003e\u003cli\u003eX-Series WiFi thermostats with v11.x to a minimum of v11.5\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis update was applied automatically to reachable units, requiring no action from end users.\u003c/p\u003e\u003cp\u003eIf end users would like their units behind firewalls to be updated, contact Network Thermostat at \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\"\u003esupport@networkthermostat.com\u003c/a\u003e\u0026nbsp;to coordinate an update.\u003c/p\u003e\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"datePublic\": \"2025-07-24T16:00:00.000Z\", \"references\": [{\"url\": \"https://www.cisa.gov/news-events/ics-advisories/icsa-25-205-02\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The embedded web server on the thermostat listed version ranges contain a vulnerability that allows unauthenticated attackers, either on the local area network or from the Internet via a router with port forwarding set up, to gain direct access to the thermostat\u0027s embedded web server and reset user credentials by manipulating specific elements of the embedded web interface.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eThe embedded web server on the thermostat listed version ranges contain a vulnerability that allows unauthenticated attackers, either on the local area network or from the Internet via a router with port forwarding set up, to gain direct access to the thermostat\u0027s embedded web server and reset user credentials by manipulating specific elements of the embedded web interface.\u003c/span\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-306\", \"description\": \"CWE-306 Missing Authentication for Critical Function\"}]}], \"providerMetadata\": {\"orgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"shortName\": \"icscert\", \"dateUpdated\": \"2025-07-24T20:53:17.534Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-6260\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-25T13:31:50.926Z\", \"dateReserved\": \"2025-06-18T22:35:45.412Z\", \"assignerOrgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"datePublished\": \"2025-07-24T20:53:17.534Z\", \"assignerShortName\": \"icscert\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.