How to fix or mitigate CVE-2025-11500?

Within 24 hours: Identify all Tinycontrol devices (tcPDU, LK3.5, LK3.9, LK4) in your environment and document current firmware versions. Within 7 days: Apply vendor-released patch to all affected devices; if patching is not immediately feasible, enable secondary authentication on all devices as interim protection. Within 30 days: Conduct credential audit and password resets for all administrative accounts on patched devices, and validate network segmentation to restrict local network access to these devices.

CVE-2025-11500

Q: What is the CVSS score of CVE-2025-11500?

CVE-2025-11500 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2025-208687 HIGH

Weak Encoding for Password (CWE-261)

2026-03-16 CERT-PL

Information Disclosure

8.7

CVSS 4.0

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:22 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

1.36,1.38,1.75

EUVD ID Assigned

Mar 16, 2026 - 10:00 euvd

EUVD-2025-208687

Analysis Generated

Mar 16, 2026 - 10:00 vuln.today

CVE Published

Mar 16, 2026 - 09:26 nvd

HIGH 8.7

DescriptionNVD

Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 have two separate authentication mechanisms - one solely for interface management and one for protecting all other server resources. When the latter is turned off (which is a default setting), an unauthenticated attacker on the local network can obtain usernames and encoded passwords for interface management portal by inspecting the HTTP response of the server when visiting the login page, which contains a JSON file with these details. Both normal and admin users credentials are exposed. This issue has been fixed in firmware versions: 1.36 (for tcPDU), 1.67 (for LK3.5 - hardware versions: 3.5, 3.6, 3.7 and 3.8), 1.75 (for LK3.9 - hardware version 3.9) and 1.38 (for LK4 - hardware version 4.0).

AnalysisAI

An authentication bypass vulnerability in Tinycontrol network devices (tcPDU and LAN Controllers LK3.5, LK3.9, LK4) exposes usernames and encoded passwords for both normal and admin users through unauthenticated HTTP requests to the login page. The vulnerability affects devices running older firmware versions when the secondary authentication mechanism is disabled (default setting), allowing any attacker on the local network to harvest credentials without authentication. With an EPSS score of 0.00043 and no KEV listing, this vulnerability shows low real-world exploitation activity despite its high CVSS score of 8.7.

Technical ContextAI

The vulnerability stems from inadequate access control on sensitive authentication data (CWE-261), where Tinycontrol devices implement two separate authentication mechanisms - one for interface management and another for protecting server resources. When the secondary authentication is disabled by default, the login page's HTTP response contains a JSON file with usernames and encoded passwords accessible without any authentication. The affected products include Tinycontrol tcPDU power distribution units and LAN Controllers (models LK3.5, LK3.9, and LK4) used for network-based device management and control in industrial and data center environments.

RemediationAI

Upgrade affected Tinycontrol devices to the following patched firmware versions: tcPDU to version 1.36 or later, LK3.5 controllers to version 1.67 or later, LK3.9 controllers to version 1.75 or later, and LK4 controllers to version 1.38 or later. As an immediate mitigation until patching is complete, enable the secondary authentication mechanism for all server resources if possible, implement network segmentation to restrict access to management interfaces to trusted VLANs only, and monitor for unauthorized access attempts to device login pages. Consider implementing additional network-level access controls such as 802.1X authentication to prevent unauthorized devices from joining the management network.

CVE-2025-11500 vulnerability details – vuln.today

Back

CVE-2025-11500

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

CVE-2025-11500

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code