CVE-2025-15587
Deferred Deferred - Pending Action
Administrator Password Disclosure via Unauthorized Resource Access in Tinycontrol Devices

Publication date: 2026-03-16

Last updated on: 2026-05-19

Assigner: CERT.PL

Description
Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 allow a low privileged user to read an administrator's password by directly accessing a specific resource inaccessible via a graphical interface. This issue has been fixed in firmware versions: 1.36 (for tcPDU), 1.67 (for LK3.5 - hardware versions: 3.5, 3.6, 3.7 and 3.8), 1.75 (for LK3.9 - hardware version 3.9) andΒ 1.38 (for LK4 - hardware version 4.0).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-05-19
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15587
EUVD
EUVD-2025-208690
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
tinycontrol tcpdu 1.36
tinycontrol lk3.5 1.67
tinycontrol lk3.9 1.75
tinycontrol lk4 1.38
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-425 The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9, and LK4. It allows a low privileged user to read an administrator's password by directly accessing a specific resource that is not accessible through the graphical interface.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of administrator passwords, potentially allowing attackers with low privileges to gain elevated access or control over the affected devices.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, update the firmware of your Tinycontrol devices to the fixed versions.

  • For tcPDU devices, upgrade to firmware version 1.36 or later.
  • For LK3.5 devices (hardware versions 3.5, 3.6, 3.7, and 3.8), upgrade to firmware version 1.67 or later.
  • For LK3.9 devices (hardware version 3.9), upgrade to firmware version 1.75 or later.
  • For LK4 devices (hardware version 4.0), upgrade to firmware version 1.38 or later.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15587. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart