CVE-2025-15587
Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 allow a low privileged user to read an administrator's passwor...
Published: 2026-03-16 · Last updated: 2026-05-19
Severity and scoring
- CWE
- CWE-425
Description
Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 allow a low privileged user to read an administrator's password by directly accessing a specific resource inaccessible via a graphical interface. This issue has been fixed in firmware versions: 1.36 (for tcPDU), 1.67 (for LK3.5 - hardware versions: 3.5, 3.6, 3.7 and 3.8), 1.75 (for LK3.9 - hardware version 3.9) and 1.38 (for LK4 - hardware version 4.0).
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2025-15587
- [Other]https://cert.pl/en/posts/2026/03/CVE-2025-11500/
- [Other]https://tinycontrol.pl/en/archives/lan-controller-35/downloads/#firmware
- [Other]https://tinycontrol.pl/en/lk39/downloads/#firmware
- [Other]https://tinycontrol.pl/en/lk4/downloads/#firmware
- [Other]https://tinycontrol.pl/en/tcpdu/downloads/#firmware
Related CVEs
Same CWE
- CVE-2026-34028 — The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, exposes web-accessible file paths that are not protected by an aut...
- CVE-2026-11986 — A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities (4.9 MEDIUM)
- CVE-2026-8205 — Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView o... (5.3 MEDIUM)
- CVE-2026-7500 — When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled (5.4 MEDIUM)