Full Report
CERT Polska has received reports about 2 vulnerabilities (CVE-2025-11500 and CVE-2025-15587) found in multiple tinycontrol devices (tcPDU and LAN Controllers: LK3.5, LK3.9 and LK4).
Analysis Summary
# Vulnerability: Multiple Authentication Flaws in tinycontrol Devices
## CVE Details
**Vulnerability 1**
- **CVE ID:** CVE-2025-11500
- **CVSS Score:** Not explicitly provided in article (typically High for credential exposure)
- **CWE:** CWE-261 (Weak Encoding for Password)
**Vulnerability 2**
- **CVE ID:** CVE-2025-15587
- **CVSS Score:** Not explicitly provided in article
- **CWE:** CWE-425 (Direct Request / Forced Browsing)
## Affected Systems
- **Products:** tinycontrol tcPDU and LAN Controllers (LK3.5, LK3.9, LK4)
- **Versions:**
- tcPDU: Versions prior to 1.36
- LK3.5 (Hardware 3.5-3.8): Versions prior to 1.67
- LK3.9 (Hardware 3.9): Versions prior to 1.75
- LK4 (Hardware 4.0): Versions prior to 1.38
- **Configurations:** CVE-2025-11500 is exploitable when the secondary authentication mechanism for server resources is disabled (the default factory setting).
## Vulnerability Description
- **CVE-2025-11500:** The devices utilize two authentication layers. If the resource protection layer is disabled, the login page's HTTP response includes a JSON file containing usernames and encoded passwords for the management portal. This allows for the exposure of both standard and administrator credentials.
- **CVE-2025-15587:** A low-privileged user can bypass graphical interface restrictions to directly request a specific internal resource that displays the administrator's password in plaintext or recoverable format.
## Exploitation
- **Status:** Reported via CVD; no evidence of active exploitation in the wild mentioned.
- **Complexity:** Low (CVE-2025-11500 requires simple inspection of HTTP traffic; CVE-2025-15587 requires knowledge of a specific URL).
- **Attack Vector:**
- **CVE-2025-11500:** Network (Local network unauthenticated attacker).
- **CVE-2025-15587:** Network (Low-privileged authenticated user).
## Impact
- **Confidentiality:** High (Exposure of administrative credentials).
- **Integrity:** High (Full administrative control over power distribution and LAN controllers).
- **Availability:** High (Potential to toggle power and control settings).
## Remediation
### Patches
Users should update to the following firmware versions immediately:
- **tcPDU:** Firmware v1.36
- **LK3.5:** Firmware v1.67
- **LK3.9:** Firmware v1.75
- **LK4:** Firmware v1.38
### Workarounds
- Enable the secondary authentication mechanism for all server resources if the update cannot be applied immediately.
- Ensure management interfaces are isolated from the public internet and restricted to trusted local networks or VPNs.
## Detection
- **Indicators of Compromise:** Unusual HTTP GET/POST requests to non-standard or internal resource paths not linked in the GUI.
- **Detection methods:** Inspecting network traffic for JSON responses from the device containing user account data or credential strings.
## References
- **Vendor Advisory:** hxxps[://]cert[.]pl/en/posts/2026/03/vulnerabilities-in-multiple-tinycontrol-devices/
- **CVD Policy:** hxxps[://]cert[.]pl/en/cvd/
- **CVE Database:** hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2025-11500
- **CVE Database:** hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2025-15587