Donate Telegram

CVE-2025-15587

HIGH CVSS 4.0: 8.6 EPSS 0.05%

Mar 16, 2026

Updated Mar 16, 2026

Tinycontrol

Parameter	Value
CVSS	8.6 (HIGH)
Type	CWE-425 (Direct Request / Forced Browsing)
Vendor	Tinycontrol
Public PoC	No

Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 allow a low privileged user to read an administrator's password by directly accessing a specific resource inaccessible via a graphical interface. This issue has been fixed in firmware versions: 1.36 (for tcPDU), 1.67 (for LK3.5 - hardware versions: 3.5, 3.6, 3.7 and 3.8), 1.75 (for LK3.9 - hardware version 3.9) and 1.38 (for LK4 - hardware version 4.0).

Attack Parameters

Attack Vector

Adjacent

Requires local network access

Attack Complexity

Low

Easy to exploit

Attack Requirements

None

No additional conditions

Privileges Required

Low

Basic privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

High

Complete data leak

Integrity

High

Complete data modification

Availability

High

Complete denial of service

CVSS Vector v4.0

Weakness Type (CWE)

CWE-425 Direct Request / Forced Browsing

References 5

https://cert.pl/en/posts/2026/03/CVE-2025-11500/

https://tinycontrol.pl/en/archives/lan-controller-35/downloads/#firmware

https://tinycontrol.pl/en/lk39/downloads/#firmware

https://tinycontrol.pl/en/lk4/downloads/#firmware

https://tinycontrol.pl/en/tcpdu/downloads/#firmware

Share Post Share Share Share

Related Vulnerabilities

CVE-2025-11500

Tinycontrol

CVE Details

CVE ID

CVE-2025-15587

Published Date

Mar 16, 2026

Vendor

Tinycontrol

Severity

HIGH

CVSS v4.0 Score

8.6

High severity. Prioritize patching.

Exploit Prediction (EPSS)

Probability of Exploit 0.05%

Likelihood of exploitation in next 30 days

Percentile: 16.1th percentile (higher than 16.1% of all CVEs)

Standard patching cycle

Impact

Full data disclosure

Complete data modification

Denial of Service

Source

Editor's Choice