Network Thermostat X-Series WiFi Thermostats

Plan PatchCVSS 9.8ICS-CERT ICSA-25-205-02Jul 24, 2025

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A missing authentication check in Network Thermostat X-Series WiFi thermostats allows an attacker to gain full administrative access without credentials. Affected versions include v4.5–v4.6 (exclusive), v9.6–v9.46 (exclusive), v10.1–v10.29 (exclusive), and v11.1–v11.5 (exclusive). An attacker with network access can change device settings, potentially altering temperature control and disrupting facility operations. The vendor has released firmware updates for all affected version branches and has automatically patched internet-reachable units. Firmware-locked devices behind firewalls require manual coordination with the vendor for patching.

What this means

What could happen

An attacker with network access to your thermostat could gain full administrative control, potentially allowing them to change temperature setpoints, disable occupancy controls, or cause heating/cooling system failures that affect building comfort and operations.

Who's at risk

Building facility managers and HVAC technicians responsible for X-Series WiFi thermostats used in commercial buildings, offices, schools, and data centers. Any organization using these thermostats for climate control should assess their network exposure and apply the recommended updates.

How it could be exploited

An attacker on the same network as your X-Series thermostat (or the internet, if the device is directly reachable) can send unauthenticated network requests to exploit a missing authentication check. This gives them the same control as an authorized administrator.

Prerequisites

Network access to the thermostat (direct internet or same local network)
No credentials or authentication required

Remotely exploitableNo authentication requiredLow complexityCritical CVSS score (9.8)Affects building comfort and safety systems

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (4)

4 pending

ProductAffected VersionsFix Status

X-Series WiFi thermostats: >=v4.5|<v4.6≥ v4.5|<v4.6No fix yet

X-Series WiFi thermostats: >=v9.6|<v9.46≥ v9.6|<v9.46No fix yet

X-Series WiFi thermostats: >=v10.1|<v10.29≥ v10.1|<v10.29No fix yet

X-Series WiFi thermostats: >=v11.1|<v11.5≥ v11.1|<v11.5No fix yet

Remediation & Mitigation

0/7

Do now

0/3

HARDENINGRestrict network access to thermostats by placing them behind a firewall or on a separate control system network isolated from business systems

HARDENINGEnsure thermostats are not directly accessible from the internet

WORKAROUNDIf remote access to thermostats is required, use a VPN or secure remote access method rather than direct internet exposure

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate X-Series thermostats running v4.x to v4.6 or later

HOTFIXUpdate X-Series thermostats running v9.x to v9.46 or later

HOTFIXUpdate X-Series thermostats running v10.x to v10.29 or later

HOTFIXUpdate X-Series thermostats running v11.x to v11.5 or later

CVEs (1)

CVE-2025-6260

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e7e2dca1-eb69-48f6-a194-35f647b3d741

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.