EUVD-2025-208687
CVSS Vector
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Lifecycle Timeline
3Description
Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 have two separate authentication mechanisms - one solely for interface management and one for protecting all other server resources. When the latter is turned off (which is a default setting), an unauthenticated attacker on the local network can obtain usernames and encoded passwords for interface management portal by inspecting the HTTP response of the server when visiting the login page, which contains a JSON file with these details. Both normal and admin users credentials are exposed. This issue has been fixed in firmware versions: 1.36 (for tcPDU), 1.67 (for LK3.5 - hardware versions: 3.5, 3.6, 3.7 and 3.8), 1.75 (for LK3.9 - hardware version 3.9) and 1.38 (for LK4 - hardware version 4.0).
Analysis
An authentication bypass vulnerability in Tinycontrol network devices (tcPDU and LAN Controllers LK3.5, LK3.9, LK4) exposes usernames and encoded passwords for both normal and admin users through unauthenticated HTTP requests to the login page. The vulnerability affects devices running older firmware versions when the secondary authentication mechanism is disabled (default setting), allowing any attacker on the local network to harvest credentials without authentication. With an EPSS score of 0.00043 and no KEV listing, this vulnerability shows low real-world exploitation activity despite its high CVSS score of 8.7.
Technical Context
The vulnerability stems from inadequate access control on sensitive authentication data (CWE-261), where Tinycontrol devices implement two separate authentication mechanisms - one for interface management and another for protecting server resources. When the secondary authentication is disabled by default, the login page's HTTP response contains a JSON file with usernames and encoded passwords accessible without any authentication. The affected products include Tinycontrol tcPDU power distribution units and LAN Controllers (models LK3.5, LK3.9, and LK4) used for network-based device management and control in industrial and data center environments.
Affected Products
Tinycontrol tcPDU devices running firmware versions prior to 1.36 are vulnerable, along with LAN Controller LK3.5 (hardware versions 3.5, 3.6, 3.7, and 3.8) running firmware prior to 1.67, LAN Controller LK3.9 (hardware version 3.9) running firmware prior to 1.75, and LAN Controller LK4 (hardware version 4.0) running firmware prior to 1.38. These industrial control and power distribution devices are commonly deployed in data centers and industrial facilities for remote management and monitoring of critical infrastructure.
Remediation
Upgrade affected Tinycontrol devices to the following patched firmware versions: tcPDU to version 1.36 or later, LK3.5 controllers to version 1.67 or later, LK3.9 controllers to version 1.75 or later, and LK4 controllers to version 1.38 or later. As an immediate mitigation until patching is complete, enable the secondary authentication mechanism for all server resources if possible, implement network segmentation to restrict access to management interfaces to trusted VLANs only, and monitor for unauthorized access attempts to device login pages. Consider implementing additional network-level access controls such as 802.1X authentication to prevent unauthorized devices from joining the management network.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today