VYPR
← All advisories
High severityNVD Advisory· Published Mar 16, 2026· Updated May 19, 2026

CVE-2025-15587

CVE-2025-15587

Description

Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 allow a low privileged user to read an administrator's password by directly accessing a specific resource inaccessible via a graphical interface.

This issue has been fixed in firmware versions: 1.36 (for tcPDU), 1.67 (for LK3.5 - hardware versions: 3.5, 3.6, 3.7 and 3.8), 1.75 (for LK3.9 - hardware version 3.9) and 1.38 (for LK4 - hardware version 4.0).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A low-privileged user on tinycontrol tcPDU and LAN Controllers (LK3.5, LK3.9, LK4) can directly access a resource to read an administrator's password.

Vulnerability

Overview

CVE-2025-15587 affects tinycontrol tcPDU and LAN Controllers LK3.5, LK3.9, and LK4. The vulnerability allows a low-privileged user to retrieve an administrator's password by directly accessing a specific resource that is not accessible via the graphical interface [1]. This is categorized as a weak encoding for password (CWE-261) issue [1].

Exploitation

An attacker who already has low-privileged access to the device can directly request the resource (likely a file or API endpoint) that stores or outputs the administrator password with insufficient protection [1]. No additional authentication is required beyond the low-privileged session, as the resource is accessible without the graphical interface's access controls [1].

Impact

A successful attacker gains the administrator's password, effectively granting full administrative control over the affected tinycontrol device [1]. This could allow unauthorized reconfiguration, denial of service, or further network compromise.

Mitigation

Tinycontrol has released fixed firmware versions: 1.36 for tcPDU, 1.67 for LK3.5 (hardware versions 3.5, 3.6, 3.7, 3.8), 1.75 for LK3.9 (hardware version 3.9), and 1.38 for LK4 (hardware version 4.0) [1]. Users should update to the appropriate version from the vendor's firmware download pages [2][3][4].

References
  1. Vulnerabilities in multiple tinycontrol devices
  2. Downloads | LK4 - universal IoT controller
  3. Downloads | tcPDU | tinycontrol
  4. Downloads | Lan Controller v3.5

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

6

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.