Description
Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 allow a low privileged user to read an administrator's password by directly accessing a specific resource inaccessible via a graphical interface.

This issue has been fixed in firmware versions: 1.36 (for tcPDU), 1.67 (for LK3.5 - hardware versions: 3.5, 3.6, 3.7 and 3.8), 1.75 (for LK3.9 - hardware version 3.9) and 1.38 (for LK4 - hardware version 4.0).
Published: 2026-03-16
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Credential Exposure
Action: Patch Firmware
AI Analysis

Impact

The vulnerability allows a user with low privileges on a Tinycontrol device to read the administrator password by accessing a specific resource that is not available through the standard graphical interface. This leak of administrative credentials can lead to privilege escalation and full control over the device, representing a significant confidentiality breach. The weakness is an insecure design flaw classified as CWE-425.

Affected Systems

Affected products are Tinycontrol devices including the tcPDU and LAN Controllers LK3.5, LK3.9, and LK4. The specific firmware versions vulnerable are 1.36 for tcPDU, 1.67 for LK3.5 (hardware versions 3.5–3.8), 1.75 for LK3.9 (hardware version 3.9), and 1.38 for LK4 (hardware version 4.0).

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity impact. The EPSS score is less than 1 %, suggesting that exploitation is currently uncommon. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that a low‑privileged user, either locally on the device or via network access to the management interface, can reach the vulnerable resource. Once the administrator password is accessed, the attacker can compromise the device and potentially affect all connected equipment. As the weakness is limited to privileged users, organizations should evaluate local user permissions and network exposure to mitigate risk.

Generated by OpenCVE AI on March 22, 2026 at 15:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device firmware to the fixed versions: 1.36 for tcPDU, 1.67 for LK3.5, 1.75 for LK3.9, and 1.38 for LK4.
  • Restrict network or local access to the administration interfaces and enforce role‑based access control so that low‑privileged users cannot reach the vulnerable resource.
  • Monitor device logs for attempts to access the administrator password and set up alerts for unauthorized access attempts.

Generated by OpenCVE AI on March 22, 2026 at 15:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Tinycontrol
Tinycontrol lan Controller
Tinycontrol lk3.9
Tinycontrol lk4
Tinycontrol tcpdu
Vendors & Products Tinycontrol
Tinycontrol lan Controller
Tinycontrol lk3.9
Tinycontrol lk4
Tinycontrol tcpdu

Mon, 16 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
Description Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 allow a low privileged user to read an administrator's password by directly accessing a specific resource inaccessible via a graphical interface. This issue has been fixed in firmware versions: 1.36 (for tcPDU), 1.67 (for LK3.5 - hardware versions: 3.5, 3.6, 3.7 and 3.8), 1.75 (for LK3.9 - hardware version 3.9) and 1.38 (for LK4 - hardware version 4.0).
Title Credentials exposure in tinycontrol devices
Weaknesses CWE-425
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Tinycontrol Lan Controller Lk3.9 Lk4 Tcpdu
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-03-16T16:26:18.674Z

Reserved: 2026-02-20T14:17:55.245Z

Link: CVE-2025-15587

cve-icon Vulnrichment

Updated: 2026-03-16T16:26:10.085Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:17:56.577

Modified: 2026-03-16T14:53:46.157

Link: CVE-2025-15587

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T08:00:34Z

Weaknesses