CVE-2025-15587

| EUVD-2025-208690 HIGH
2026-03-16 CERT-PL
8.6
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None

Lifecycle Timeline

3
Analysis Generated
Mar 16, 2026 - 10:00 vuln.today
EUVD ID Assigned
Mar 16, 2026 - 10:00 euvd
EUVD-2025-208690
CVE Published
Mar 16, 2026 - 09:26 nvd
HIGH 8.6

Tags

Information Disclosure Authentication Bypass Lan Kontroler V3.5 Tcpdu Lk4 Lk3.9

Description

Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 allow a low privileged user to read an administrator's password by directly accessing a specific resource inaccessible via a graphical interface. This issue has been fixed in firmware versions: 1.36 (for tcPDU), 1.67 (for LK3.5 - hardware versions: 3.5, 3.6, 3.7 and 3.8), 1.75 (for LK3.9 - hardware version 3.9) and 1.38 (for LK4 - hardware version 4.0).

Analysis

A privilege escalation vulnerability in Tinycontrol network management devices (tcPDU and LAN Controllers) allows low-privileged users to retrieve administrator passwords by directly accessing resources that are hidden from the graphical interface. The vulnerability affects multiple product lines including tcPDU, LK3.5, LK3.9, and LK4 controllers across various hardware versions, with a high CVSS score of 8.6 indicating significant risk. No evidence of active exploitation exists (not in KEV), no public POC is available, and the EPSS score is not provided, but patches are available for all affected versions.

Technical Context

The vulnerability affects Tinycontrol's network-connected power distribution units (tcPDU) and LAN Controllers (LK series), which are industrial control devices used for remote power and equipment management. The root cause is CWE-425 (Direct Request or 'Forced Browsing'), a security misconfiguration where sensitive resources lack proper access controls when accessed directly via URLs or API endpoints, even though they appear protected in the user interface. This allows authenticated users with low privileges to bypass intended access restrictions by crafting direct requests to administrative resources that store or expose password data.

Affected Products

Tinycontrol tcPDU devices running firmware versions prior to 1.36 are vulnerable, along with LAN Controllers LK3.5 (hardware versions 3.5, 3.6, 3.7, and 3.8) before firmware 1.67, LK3.9 (hardware version 3.9) before firmware 1.75, and LK4 (hardware version 4.0) before firmware 1.38. While specific CPE identifiers are not provided in the available data, these industrial control devices are typically deployed in data centers and critical infrastructure environments for remote power and equipment management.

Remediation

Upgrade affected Tinycontrol devices to the patched firmware versions: tcPDU to version 1.36 or later, LK3.5 series to version 1.67 or later, LK3.9 to version 1.75 or later, and LK4 to version 1.38 or later. Until patching is complete, implement network segmentation to restrict access to management interfaces to trusted administrative networks only, enforce strong authentication for all users, and monitor access logs for suspicious direct resource access attempts. Consider placing these devices behind a secure management VLAN with strict firewall rules limiting access to authorized administrators only.

Priority Score

43
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +43
POC: 0

Share

CVE-2025-15587 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy