CVE-2025-11500
Description
Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 have two separate authentication mechanisms - one solely for interface management and one for protecting all other server resources. When the latter is turned off (which is a default setting), an unauthenticated attacker on the local network can obtain usernames and encoded passwords for interface management portal by inspecting the HTTP response of the server when visiting the login page, which contains a JSON file with these details. Both normal and admin users credentials are exposed. This issue has been fixed in firmware versions: 1.36 (for tcPDU), 1.67 (for LK3.5 - hardware versions: 3.5, 3.6, 3.7 and 3.8), 1.75 (for LK3.9 - hardware version 3.9) and 1.38 (for LK4 - hardware version 4.0).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Tinycontrol devices expose usernames and encoded passwords on the login page when the server resource authentication is off (default), allowing unauthenticated local attackers to compromise the interface management portal.
Vulnerability
Overview
CVE-2025-11500 affects Tinycontrol tcPDU and LAN Controllers LK3.5, LK3.9, and LK4 [1]. The devices implement two separate authentication mechanisms: one for the interface management portal and another for all other server resources [1]. When the server resource authentication is turned off—which is the default setting—the login page of the device serves an HTTP response that includes a JSON file containing usernames and encoded passwords for the interface management portal [1]. This exposes both normal and admin user credentials [1]. The weakness is categorized under CWE-261 (Weak Encoding for Password) [1].
Exploitation
An unauthenticated attacker on the local network can obtain these credentials simply by visiting the device's login page and inspecting the HTTP response [1]. No authentication is required to trigger the exposure, and the server resource authentication must be in its default disabled state [1]. The attack vector is local network access and does not require any prior knowledge of credentials or physical access to the device [1].
Impact
With the obtained usernames and encoded passwords, an attacker can log into the interface management portal [1]. The credentials may be encoded rather than fully encrypted, making it easier to recover the plaintext passwords [1]. Once logged in, the attacker may gain full administrative control over the device, allowing them to modify configurations, monitor or disrupt operations, and potentially pivot to other network resources [1]. The exposure of both normal and admin accounts increases the risk of privilege escalation and persistent compromise [1].
Mitigation
Tinycontrol has released firmware updates that fix the issue: version 1.36 for tcPDU, version 1.67 for LK3.5 (hardware versions 3.5, 3.6, 3.7, 3.8), version 1.75 for LK3.9 (hardware version 3.9), and version 1.38 for LK4 (hardware version 4.0) [1]. Users should update to the latest firmware available from the vendor's download pages [2][3][4]. As a workaround, enabling server resource authentication on the device can prevent the exposure, but this may affect functionality [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4<1.36+ 1 more
- (no CPE)range: <1.36
- (no CPE)range: 0
- Range: <1.67
- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6News mentions
0No linked articles in our index yet.