CVE-2025-6260CRITICAL 9.8EPSS p36.3%

CVE-2025-6260CVE-2025-6260

Description

The embedded web server on the thermostat listed version ranges contain a vulnerability that allows unauthenticated attackers, either on the local area network or from the Internet via a router with port forwarding set up, to gain direct access to the thermostat's embedded web server and reset user credentials by manipulating specific elements of the embedded web interface.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.46% probability of exploitation · percentile 36.3% · 2026-06-19T12:03:05Z
Published2025-07-24
Last modified2026-04-15

Underlying weaknesses· 1

CWE-306

References

  1. https://www.cisa.gov/news-events/ics-advisories/icsa-25-205-02

1

TypeTargetConfidenceTier
WeaknessMissing Authentication for Critical Functioncwe-3060%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-0680
CVE
CVE-2025-59601
CVE
CVE-2026-5300
CVE
CVE-2026-35075
CVE
CVE-2025-41709
CVE
CVE-2025-59817
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.