Authentication bypass vulnerability reported in Network Thermostat Smart Building Systems

Network Thermostat reports a critical security vulnerability affecting its X-Series WiFi thermostats that could allow unauthenticated attackers to gain complete administrative access to building climate control systems. These smart thermostats are commonly deployed in commercial facilities throughout the United States and Canada.

The flaw is tracked as CVE-2025-6260 (CVSS score 9.8), and is caused by missing authentication in the embedded web server component of Network Thermostat's X-Series WiFi devices. It allows unauthenticated attackers operating either from local area networks or remotely via the internet to gain direct access to the thermostat's embedded web interface and reset user credentials.

The flaw impacts Network Thermostat's X-Series WiFi thermostat product running firmware versions:

• v4.5 up to but not including v4.6,
• v9.6 up to but not including v9.46,
• v10.1 up to but not including v10.29,
• v11.1 up to but not including v11.5

Network Thermostat has released patched firmware versions. Organizations using X-Series WiFi thermostats should upgrade to 

• devices running v4.x firmware should upgrade to at least v4.6 or later
• devices running v9.x should update to v9.46 or later
• devices running v10.x require v10.29 or later
• devices running v11.x installations need v11.5 or later

The company has implemented automatic update mechanisms for internet-reachable devices. Organizations with devices deployed behind firewalls that prevent automatic updates should contact Network Thermostat support at support@networkthermostat.com to coordinate manual firmware updates.

Organizations should minimize network exposure for all control system devices, ensuring they are not directly accessible from the internet. 

Currently, no evidence of active exploitation targeting this specific vulnerability has been reported to CISA.