CVE-2025-25037 - Vulnerability Details

- Aquatronica Controller System Complete Information Disclosure

Description

An information disclosure vulnerability exists in Aquatronica Controller System firmware versions <= 5.1.6 and web interface versions <= 2.0. The tcp.php endpoint fails to restrict unauthenticated access, allowing remote attackers to issue crafted POST requests and retrieve sensitive configuration data, including plaintext administrative credentials. Exploitation of this flaw can lead to full compromise of the system, enabling unauthorized manipulation of connected devices and aquarium parameters.

Published: 2025-06-20

Score: 9.3 Critical

EPSS: 2.1% Low

KEV: No

Impact:

Action:

Analysis

Impact

An information disclosure vulnerability in Aquatronica Controller System allows remote attackers to retrieve sensitive configuration data, including plaintext administrative credentials, by accessing the unprotected tcp.php endpoint. The exposed credentials can enable full control over the system, allowing manipulation of connected devices and aquarium parameters.

Affected Systems

Aquatronica Controller System firmware versions 5.1.6 and earlier, and web interface versions 2.0 and earlier, are vulnerable. Devices running those versions are at risk until an update is applied.

Risk and Exploitability

With a CVSS score of 9.3 and EPSS of 2%, the vulnerability is high severity and considered likely to be exploited. The exploit requires no authentication and can be performed from anywhere with network access to the device, making it a remote attack vector. Since it is not listed in KEV, no known public exploit has been reported to CISA, but the combination of broad accessibility and critical credentials means this flaw could lead to a full compromise of affected systems.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Aquatronica

Aquatronica Controller System

unaffected

Version	Status	Constraints
`0`	affected	≤ 5.1.6

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to firmware 5.1.7 or later and web interface 2.1 or later to remove the vulnerable endpoint.
If a patch is not yet available, block or disable access to the tcp.php endpoint using firewall rules or by modifying the web server configuration to require authentication.
Review system logs and audit credentials to detect any unauthorized usage and ensure that user accounts follow secure password practices.

Generated by OpenCVE AI on April 28, 2026 at 11:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-18781	An information disclosure vulnerability exists in Aquatronica Controller System firmware versions <= 5.1.6 and web interface versions <= 2.0. The tcp.php endpoint fails to restrict unauthenticated access, allowing remote attackers to issue crafted POST requests and retrieve sensitive configuration data, including plaintext administrative credentials. Exploitation of this flaw can lead to full compromise of the system, enabling unauthorized manipulation of connected devices and aquarium parameters.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.02101.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://fortiguard.fortinet.com/encyclopedia/ips/56008
https://vulncheck.com/advisories/aquatronica-controller-system-credential-leak
https://www.aquatronica.com
https://www.exploit-db.com/exploits/52028
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5824.php

History

Mon, 23 Jun 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 20 Jun 2025 19:00:00 +0000

Type	Values Removed	Values Added
Description		An information disclosure vulnerability exists in Aquatronica Controller System firmware versions <= 5.1.6 and web interface versions <= 2.0. The tcp.php endpoint fails to restrict unauthenticated access, allowing remote attackers to issue crafted POST requests and retrieve sensitive configuration data, including plaintext administrative credentials. Exploitation of this flaw can lead to full compromise of the system, enabling unauthorized manipulation of connected devices and aquarium parameters.
Title		Aquatronica Controller System Complete Information Disclosure
Weaknesses		CWE-200
References		https://fortiguard.fortinet.com/encyclopedia/ips/56008 https://vulncheck.com/advisories/aquatronica-controller-system-credential-leak https://www.aquatronica.com https://www.exploit-db.com/exploits/52028 https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5824.php
Metrics		cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2025-06-20T18:35:19.243Z

Updated: 2026-04-07T14:08:58.658Z

Reserved: 2025-01-31T18:32:36.214Z

Link: CVE-2025-25037

Vulnrichment

Updated: 2025-06-23T20:33:07.611Z

NVD

Status : Deferred

Published: 2025-06-20T19:15:35.870

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-25037

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T11:15:26Z

Weaknesses

CWE-200

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object