CVE-2025-15587 PUBLISHED

Credentials exposure in tinycontrol devices

Assigner: CERT-PL
Reserved: 20.02.2026 Published: 16.03.2026 Updated: 16.03.2026

Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 allow a low privileged user to read an administrator's password by directly accessing a specific resource inaccessible via a graphical interface.

This issue has been fixed in firmware versions: 1.36 (for tcPDU), 1.67 (for LK3.5 - hardware versions: 3.5, 3.6, 3.7 and 3.8), 1.75 (for LK3.9 - hardware version 3.9) and 1.38 (for LK4 - hardware version 4.0).

Metrics

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.6

Product Status

Vendor tinycontrol
Product Lan Kontroler v3.5
Versions Default: unaffected
  • affected from 0 to 1.67 (excl.)
Vendor tinycontrol
Product LK3.9
Versions Default: unaffected
  • affected from 0 to 1.75 (excl.)
Vendor tinycontrol
Product LK4
Versions Default: unaffected
  • affected from 0 to 1.38 (excl.)
Vendor tinycontrol
Product tcPDU
Versions Default: unaffected
  • affected from 0 to 1.36 (excl.)

References

Problem Types

  • CWE-425 Direct Request ('Forced Browsing') CWE