PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-11500 tinycontrol CVE debrief

CVE-2025-11500 is a HIGH severity (CVSS 8.7) authentication bypass and information disclosure vulnerability affecting Tinycontrol IoT devices including tcPDU, LAN Controller LK3.5, LK3.9, and LK4. The vulnerability stems from a dual-authentication architecture where interface management credentials are exposed via unauthenticated HTTP responses when the secondary resource protection mechanism is disabled—a default configuration state. An unauthenticated attacker on the local network can retrieve usernames and encoded (not hashed) passwords for both standard and administrative accounts by inspecting JSON responses from the device's login page. The CVSS 4.0 vector (AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H) reflects adjacent network attack vector with high impacts to confidentiality, integrity, and availability. The vulnerability was disclosed on March 16, 2026, with the CVE record subsequently modified on May 19, 2026. Vendor patches are available across all affected product lines.

Vendor
tinycontrol
Product
Lan Kontroler v3.5
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-16
Original CVE updated
2026-05-19
Advisory published
2026-03-16
Advisory updated
2026-05-19

Who should care

Organizations deploying Tinycontrol tcPDU power distribution units or LK-series LAN Controllers for remote infrastructure management, particularly in industrial control, data center, and building automation environments where these devices manage critical power and network resources.

Technical summary

Affected Tinycontrol devices implement two independent authentication layers: one for interface management and another for general server resource protection. When the latter is disabled (default state), the device's HTTP login response includes a JSON payload containing usernames and encoded passwords for the interface management portal. This encoding is not cryptographic hashing, permitting credential recovery. Both administrative and standard user accounts are exposed. The vulnerability requires adjacent network access but no authentication or user interaction.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade affected Tinycontrol devices to patched firmware versions immediately: tcPDU to 1.36, LK3.5 to 1.67, LK3.9 to 1.75, and LK4 to 1.38.
  • Enable the secondary authentication mechanism for server resource protection if not required to be disabled for operational reasons; verify this setting is active post-upgrade.
  • Rotate all administrative and user credentials on affected devices after patching, as historical exposure cannot be ruled out.
  • Segment Tinycontrol devices on isolated network VLANs with restricted access controls to limit adjacent network attack surface.
  • Monitor for unauthorized access attempts to device management interfaces, particularly from unexpected source addresses within the local network.
  • Review device configurations for unauthorized changes to authentication settings that may reintroduce vulnerability conditions.

Evidence notes

Vulnerability confirmed through CERT.PL and Securitum coordinated disclosure. CWE-201 (Insertion of Sensitive Information Into Sent Data) and CWE-261 (Weak Encoding for Password) classified. Firmware fix versions explicitly documented: tcPDU 1.36, LK3.5 1.67 (HW 3.5-3.8), LK3.9 1.75 (HW 3.9), LK4 1.38 (HW 4.0).

Official resources

2026-03-16