CVE-2025-25037 PUBLISHED

Aquatronica Controller System Complete Information Disclosure

Assigner: VulnCheck
Reserved: 31.01.2025 Published: 20.06.2025 Updated: 20.06.2025

An information disclosure vulnerability exists in Aquatronica Controller System firmware versions <= 5.1.6 and web interface versions <= 2.0. The tcp.php endpoint fails to restrict unauthenticated access, allowing remote attackers to issue crafted POST requests and retrieve sensitive configuration data, including plaintext administrative credentials. Exploitation of this flaw can lead to full compromise of the system, enabling unauthorized manipulation of connected devices and aquarium parameters.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
CVSS Score: 9.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	None	Integrity	High
Attack Requirements	None	Availability	None	Availability	High
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Aquatronica
Product	Aquatronica Controller System
Versions	Default: unaffected affected from 0 to 5.1.6 (incl.)

Credits

Gjoko Krstic finder

References

Problem Types

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor CWE

Impacts

CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs