Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2025-6260
PUBLISHED
More InfoOfficial Page
Assigner-icscert
Assigner Org ID-7d14cffa-0d7d-4270-9dc0-52cabd5a23a6
View Known Exploited Vulnerability (KEV) details
Published At-24 Jul, 2025 | 20:53
Updated At-25 Jul, 2025 | 13:31
Rejected At-
▼CVE Numbering Authority (CNA)
Network Thermostat X-Series WiFi Thermostats Missing Authentication for Critical Function

The embedded web server on the thermostat listed version ranges contain a vulnerability that allows unauthenticated attackers, either on the local area network or from the Internet via a router with port forwarding set up, to gain direct access to the thermostat's embedded web server and reset user credentials by manipulating specific elements of the embedded web interface.

Affected Products
Vendor
Network Thermostat
Product
X-Series WiFi thermostats
Default Status
unaffected
Versions
Affected
  • From v4.5 before 4.6 (custom)
  • From v9.6 before v9.46 (custom)
  • From v10.1 before v10.29 (custom)
  • From v11.1 before v11.5 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-306CWE-306 Missing Authentication for Critical Function
Metrics
VersionBase scoreBase severityVector
4.09.3CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Network Thermostat recommends users to update to the following (or newer) versions: * X-Series WiFi thermostats with v4.x to a minimum of v4.6 * X-Series WiFi thermostats with v9.x to a minimum of v9.46 * X-Series WiFi thermostats with v10.x to a minimum of v10.29 * X-Series WiFi thermostats with v11.x to a minimum of v11.5 This update was applied automatically to reachable units, requiring no action from end users. If end users would like their units behind firewalls to be updated, contact Network Thermostat at support@networkthermostat.com to coordinate an update.

Configurations
Workarounds
Exploits
Credits
finder
Souvik Kandar reported this vulnerability to CISA.
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.cisa.gov/news-events/ics-advisories/icsa-25-205-02
N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found