Credentials exposure in tinycontrol devices
Summary
| CVE | CVE-2025-11500 |
|---|---|
| State | PUBLISHED |
| Assigner | CERT-PL |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-16 14:17:54 UTC |
| Updated | 2026-05-19 15:17:37 UTC |
| Description | Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 have two separate authentication mechanisms - one solely for interface management and one for protecting all other server resources. When the latter is turned off (which is a default setting), an unauthenticated attacker on the local network can obtain usernames and encoded passwords for interface management portal by inspecting the HTTP response of the server when visiting the login page, which contains a JSON file with these details. Both normal and admin users credentials are exposed. This issue has been fixed in firmware versions: 1.36 (for tcPDU), 1.67 (for LK3.5 - hardware versions: 3.5, 3.6, 3.7 and 3.8), 1.75 (for LK3.9 - hardware version 3.9) and 1.38 (for LK4 - hardware version 4.0). |
Risk And Classification
Primary CVSS: v4.0 8.7 HIGH from [email protected]
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.001410000 probability, percentile 0.336890000 (date 2026-05-26)
Problem Types: CWE-201 | CWE-261 | CWE-261 CWE-261 Weak Encoding for Password | CWE-201 CWE-201 Insertion of Sensitive Information Into Sent Data
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 8.7 | HIGH | CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 8.7 | HIGH | CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
CVSS v4.0 Breakdown
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Tinycontrol | Lan Kontroler V3.5 | affected 1.67 semver | Not specified |
| CNA | Tinycontrol | LK3.9 | affected 1.75 semver | Not specified |
| CNA | Tinycontrol | LK4 | affected 1.38 semver | Not specified |
| CNA | Tinycontrol | TcPDU | affected 1.36 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| tinycontrol.pl/en/lk4/downloads | [email protected] | tinycontrol.pl | |
| tinycontrol.pl/en/archives/lan-controller-35/downloads | [email protected] | tinycontrol.pl | |
| cert.pl/en/posts/2026/03/CVE-2025-11500 | [email protected] | cert.pl | |
| tinycontrol.pl/en/lk39/downloads | [email protected] | tinycontrol.pl | |
| securitum.com/CVE-2025-11500 | [email protected] | securitum.com | |
| tinycontrol.pl/en/tcpdu/downloads | [email protected] | tinycontrol.pl | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Paweł Różański (Securitum.com) (en)
Additional Advisory Data
Workarounds
CNA: Enabling "Basic Authentication" option mitigates the risk, because an attacker has to log in first prior to exploitation.