Description
Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 have two separate authentication mechanisms - one solely for interface management and one for protecting all other server resources. When the latter is turned off (which is a default setting), an unauthenticated attacker on the local network can obtain usernames and encoded passwords for interface management portal by inspecting the HTTP response of the server when visiting the login page, which contains a JSON file with these details. Both normal and admin users credentials are exposed. 
This issue has been fixed in firmware versions: 1.36 (for tcPDU), 1.67 (for LK3.5 - hardware versions: 3.5, 3.6, 3.7 and 3.8), 1.75 (for LK3.9 - hardware version 3.9) and 1.38 (for LK4 - hardware version 4.0).
Published: 2026-03-16
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Credentials exposed to local network
Action: Immediate Patch
AI Analysis

Impact

Tinycontrol devices incorporate two distinct authentication mechanisms—one for the management interface and another for all other server resources. When the latter is disabled, which it is by default, an unauthenticated attacker on the local network can observe the HTTP response from the login page and retrieve a JSON file containing usernames and encoded passwords for both normal and admin users. This flaw permits credential exposure without any privileged access, effectively allowing attackers to acquire full management credentials from any device connected to the same local network.

Affected Systems

Affected products include Tinycontrol LAN Controllers LK3.5, LK3.9, LK4 and the tcPDU. Firmware affected versions are 1.36 for the tcPDU, 1.67 for the LK3.5 family (hardware versions 3.5–3.8), 1.75 for the LK3.9 (hardware version 3.9), and 1.38 for the LK4 (hardware version 4.0).

Risk and Exploitability

The vulnerability carries a CVSS score of 8.7 and an EPSS score of less than 1%, indicating high severity but low exploitation probability in the wild. The attack vector is local network, with the attacker needing physical or network access to the device. Because the exploit is simple—just a request to the login page—an attacker can obtain credentials quickly, leading to potential compromise of device management interfaces and any services governed by those credentials. While the vulnerability is not listed in KEV, the potential for credential theft remains significant for operators who have not applied the corrective firmware or enabled the recommended authentication safeguard.

Generated by OpenCVE AI on March 21, 2026 at 14:35 UTC.

Remediation

Vendor Workaround

Enabling "Basic Authentication" option mitigates the risk, because an attacker has to log in first prior to exploitation.

OpenCVE Recommended Actions

  • Apply the latest firmware updates for each affected Tinycontrol product (tcPDU 1.36, LK3.5 1.67, LK3.9 1.75, LK4 1.38).
  • Enable the Basic Authentication option to require login before any credential data is exposed; this is the official workaround offered by Tinycontrol.

Generated by OpenCVE AI on March 21, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Tinycontrol
Tinycontrol lan Controller
Tinycontrol lk3.9
Tinycontrol lk4
Tinycontrol tcpdu
Vendors & Products Tinycontrol
Tinycontrol lan Controller
Tinycontrol lk3.9
Tinycontrol lk4
Tinycontrol tcpdu

Mon, 16 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
Description Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 have two separate authentication mechanisms - one solely for interface management and one for protecting all other server resources. When the latter is turned off (which is a default setting), an unauthenticated attacker on the local network can obtain usernames and encoded passwords for interface management portal by inspecting the HTTP response of the server when visiting the login page, which contains a JSON file with these details. Both normal and admin users credentials are exposed.  This issue has been fixed in firmware versions: 1.36 (for tcPDU), 1.67 (for LK3.5 - hardware versions: 3.5, 3.6, 3.7 and 3.8), 1.75 (for LK3.9 - hardware version 3.9) and 1.38 (for LK4 - hardware version 4.0).
Title Credentials exposure in tinycontrol devices
Weaknesses CWE-201
CWE-261
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Tinycontrol Lan Controller Lk3.9 Lk4 Tcpdu
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-03-16T16:24:33.361Z

Reserved: 2025-10-08T14:14:53.731Z

Link: CVE-2025-11500

cve-icon Vulnrichment

Updated: 2026-03-16T16:24:25.544Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:17:54.113

Modified: 2026-03-16T14:53:46.157

Link: CVE-2025-11500

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T08:00:33Z

Weaknesses