CVE-2025-15587

HIGH

Credentials exposure in tinycontrol devices

Title source: cna

Description

Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 allow a low privileged user to read an administrator's password by directly accessing a specific resource inaccessible via a graphical interface. This issue has been fixed in firmware versions: 1.36 (for tcPDU), 1.67 (for LK3.5 - hardware versions: 3.5, 3.6, 3.7 and 3.8), 1.75 (for LK3.9 - hardware version 3.9) and 1.38 (for LK4 - hardware version 4.0).

References (5)

[Third Party Advisory] https://cert.pl/en/posts/2026/03/CVE-2025-11500/

[Release Notes] https://tinycontrol.pl/en/archives/lan-controller-35/downloads/#firmware

[Release Notes] https://tinycontrol.pl/en/lk39/downloads/#firmware

[Release Notes] https://tinycontrol.pl/en/lk4/downloads/#firmware

[Release Notes] https://tinycontrol.pl/en/tcpdu/downloads/#firmware

Scores

CVSS v4 8.6

EPSS 0.0004

EPSS Percentile 10.7%

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-425

Status published

Products (4)

tinycontrol/Lan Kontroler v3.5 < 1.67

tinycontrol/LK3.9 < 1.75

tinycontrol/LK4 < 1.38

tinycontrol/tcPDU < 1.36

Published Mar 16, 2026

Tracked Since Mar 16, 2026