The vulnerability CVE-2025-11500 affects tinycontrol Lan Kontroler devices, including tcPDU and LAN Controllers LK3.5, LK3.9, and LK4 hardware versions. These devices implement two authentication mechanisms: one for interface management and another for protecting other server resources. By default, the secondary authentication is disabled, which leads to exposure of sensitive credentials. Specifically, when an unauthenticated attacker on the local network visits the login page, the HTTP response contains a JSON file that includes usernames and encoded passwords for the interface management portal. The encoding used is weak (CWE-261), making it trivial to decode or reverse engineer the passwords. This exposure affects both normal and administrative users, enabling attackers to gain unauthorized access to the management interface. The vulnerability does not require any user interaction or prior authentication and can be exploited remotely within the local network. The weakness also relates to CWE-201 (Information Exposure Through Sent Data). The issue has been addressed in firmware versions 1.36 for tcPDU, 1.67 for LK3.5, 1.75 for LK3.9, and 1.38 for LK4. The CVSS 4.0 base score is 8.7, reflecting high severity with attack vector as adjacent network, low attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability.

Organizations using tinycontrol Lan Kontroler devices with vulnerable firmware are at significant risk of unauthorized access to critical device management interfaces. Exploitation can lead to compromise of device configuration, potential disruption of network management, and lateral movement within internal networks. Since both normal and admin credentials are exposed, attackers can escalate privileges and manipulate device settings, potentially causing denial of service or facilitating further attacks on connected infrastructure. The vulnerability's exploitation requires only local network access, which could be achieved through compromised internal hosts or insider threats. This risk is particularly acute in environments relying on these devices for power distribution or network control, such as data centers, industrial facilities, and enterprise networks. The lack of authentication on the secondary protection mechanism and weak encoding exacerbate the threat, increasing the likelihood of successful exploitation and impact severity.

Organizations should immediately verify the firmware versions of their tinycontrol Lan Kontroler devices and upgrade to the patched versions: 1.36 for tcPDU, 1.67 for LK3.5, 1.75 for LK3.9, and 1.38 for LK4. Until updates can be applied, network segmentation should be enforced to restrict access to these devices strictly to trusted management hosts. Disable or restrict HTTP access to the management interface, preferably replacing it with secure protocols such as HTTPS with strong authentication. Monitor network traffic for suspicious HTTP requests to the login page and anomalous JSON responses. Implement network access controls to prevent unauthorized devices from connecting to the local network segment hosting these controllers. Additionally, review and harden device configurations to ensure that secondary authentication mechanisms are enabled and properly configured. Regularly audit device logs and access patterns to detect potential exploitation attempts. Consider deploying intrusion detection systems tuned to detect attempts to access exposed management interfaces.