Network Thermostat X-Series WiFi Thermostats
Act Now9.8ICS-CERT ICSA-25-205-02Jul 24, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The X-Series WiFi thermostat contains a missing authentication vulnerability (CWE-306) that allows unauthenticated attackers to gain full administrative access to the device. Affected versions include v4.5 through v4.5, v9.6 through v9.45, v10.1 through v10.28, and v11.1 through v11.4. Network Thermostat has issued patches for all affected branches: v4.6, v9.46, v10.29, and v11.5. Automatic updates have been applied to internet-connected units, but devices behind firewalls require manual coordination for updates.
What this means
What could happen
An attacker with network access to an X-Series WiFi thermostat could gain full administrative control of the device, allowing them to alter temperature setpoints, disable heating/cooling systems, or disrupt HVAC operations in buildings they control.
Who's at risk
Building facilities teams and property managers operating X-Series WiFi thermostats should be aware of this vulnerability. It affects HVAC control systems in offices, schools, hospitals, and any buildings using Network Thermostat's X-Series devices—particularly critical for environments where temperature control is essential (data centers, sensitive manufacturing, medical facilities).
How it could be exploited
An attacker on the network sends unauthenticated requests to the thermostat's web interface or API. The vulnerability in CWE-306 (missing authentication) allows the attacker to bypass login requirements and issue administrative commands directly to the device without providing valid credentials.
Prerequisites
- Network connectivity to the thermostat's IP address (port likely 80 or 443)
- Thermostat must be reachable from the attacker's network (e.g., on the same local network, accessible from internet if not firewalled)
Remotely exploitableNo authentication requiredLow complexity attackHVAC system disruption potentialCritical CVSS score (9.8)Affects all active firmware versions in v4, v9, v10, and v11 branches
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (4)
4 pending
ProductAffected VersionsFix Status
X-Series WiFi thermostats: >=v4.5|<v4.6≥ v4.5|<v4.6No fix yet
X-Series WiFi thermostats: >=v9.6|<v9.46≥ v9.6|<v9.46No fix yet
X-Series WiFi thermostats: >=v10.1|<v10.29≥ v10.1|<v10.29No fix yet
X-Series WiFi thermostats: >=v11.1|<v11.5≥ v11.1|<v11.5No fix yet
Remediation & Mitigation
0/5
Do now
0/3HARDENINGIsolate thermostat network from internet-facing network segments; ensure thermostats are not directly accessible from the internet
HARDENINGPlace thermostats and their management network behind firewalls with restrictive inbound rules
WORKAROUNDIf remote access to thermostats is required, use VPN with current security patches rather than direct internet exposure
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate X-Series WiFi thermostats to v4.6 or later (v4.x series), v9.46 or later (v9.x series), v10.29 or later (v10.x series), or v11.5 or later (v11.x series)
HOTFIXFor thermostats behind firewalls that did not receive automatic updates, contact Network Thermostat support to coordinate manual firmware update
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/e7e2dca1-eb69-48f6-a194-35f647b3d741