CVE-2025-11500
Information Disclosure via Unauthenticated Access in Tinycontrol Devices
Publication date: 2026-03-16
Last updated on: 2026-03-16
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tinycontrol | lk3.5 | 1.67 |
| tinycontrol | lk3.9 | 1.75 |
| tinycontrol | lk4 | 1.38 |
| tinycontrol | tcpdu | 1.36 |
| tinycontrol | lan_controller | 1.67 |
| tinycontrol | lan_controller | 1.75 |
| tinycontrol | lan_controller | 1.38 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
| CWE-261 | Obscuring a password with a trivial encoding does not protect the password. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9, and LK4 have two separate authentication mechanisms: one for interface management and another for protecting other server resources.
When the authentication mechanism protecting other server resources is turned off (which is the default setting), an unauthenticated attacker on the local network can obtain usernames and encoded passwords for the interface management portal.
This happens because the HTTP response from the server when visiting the login page contains a JSON file with these credentials, exposing both normal and admin user credentials.
How can this vulnerability impact me? :
An attacker on the local network can gain access to usernames and encoded passwords for the interface management portal without authentication.
This exposure of credentials can lead to unauthorized access to device management interfaces, potentially allowing attackers to control or disrupt device operations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the HTTP response from the Tinycontrol device's login page on the local network. Specifically, an unauthenticated attacker can obtain usernames and encoded passwords by viewing a JSON file included in the HTTP response.
To detect this on your network or system, you can capture and analyze HTTP traffic to the device's login page using network monitoring tools such as Wireshark or tcpdump.
Example commands to capture HTTP traffic to the device (replace <device_ip> with the actual IP address):
- tcpdump -i <interface> host <device_ip> and port 80 -w capture.pcap
- tshark -r capture.pcap -Y "http.request.uri contains 'login'" -T fields -e http.file_data
By examining the HTTP response content for JSON files containing usernames and encoded passwords, you can confirm if the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to ensure that the authentication mechanism protecting all other server resources is enabled, as it is disabled by default and its absence allows credential exposure.
Additionally, update the firmware of the affected Tinycontrol devices to the fixed versions:
- Firmware version 1.36 for tcPDU
- Firmware version 1.67 for LAN Controllers LK3.5 (hardware versions 3.5, 3.6, 3.7, 3.8)
- Firmware version 1.75 for LAN Controller LK3.9 (hardware version 3.9)
- Firmware version 1.38 for LAN Controller LK4 (hardware version 4.0)
These updates fix the vulnerability and prevent unauthorized access to usernames and passwords.