cvedb.io
CVE-2025-6260
CRITICAL · CVSS 9.8
EPSS exploitation probability: 0%
Published 2025-07-24T21:15:52.447 · Last modified 2026-06-17T10:01:28.700

Summary

The embedded web server on the thermostat listed version ranges contain a vulnerability that allows unauthenticated attackers, either on the local area network or from the Internet via a router with port forwarding set up, to gain direct access to the thermostat's embedded web server and reset user credentials by manipulating specific elements of the embedded web interface.

Does this affect you?

Add your gear to cvedb and we'll alert you only when a vendor you run ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.