The vulnerability identified as CVE-2025-15587 affects multiple tinycontrol Lan Kontroler devices, including tcPDU and LAN Controllers versions LK3.5, LK3.9, and LK4. It is classified under CWE-425, which involves direct request or forced browsing attacks. In this case, a low-privileged user can bypass the intended graphical user interface restrictions and directly request a resource that contains the administrator's password. This unauthorized access occurs without requiring elevated privileges or user interaction, indicating a flaw in access control enforcement on the device's web interface or API endpoints. The vulnerability impacts confidentiality by exposing sensitive credentials and integrity by potentially allowing unauthorized configuration changes. The CVSS 4.0 score is 8.6 (high severity), reflecting the ease of exploitation over an adjacent network (AV:A), low attack complexity (AC:L), no need for authentication (AT:N), and no user interaction (UI:N), with high impact on confidentiality, integrity, and availability. The issue affects multiple hardware versions and has been fixed in firmware versions 1.36 (tcPDU), 1.67 (LK3.5), 1.75 (LK3.9), and 1.38 (LK4). No public exploit code or widespread exploitation has been reported yet, but the vulnerability poses a significant risk due to the sensitive nature of the affected devices, which control networked power distribution and infrastructure.

The exploitation of CVE-2025-15587 can have severe consequences for organizations relying on tinycontrol Lan Kontroler devices. Unauthorized access to administrator credentials can lead to full control over power distribution units and networked infrastructure devices, enabling attackers to disrupt critical operations, cause downtime, or manipulate device configurations maliciously. This can affect data center operations, industrial control systems, and enterprise network environments where these devices manage power and connectivity. The confidentiality breach exposes sensitive credentials, increasing the risk of lateral movement within networks. Integrity and availability impacts arise from potential unauthorized changes or denial of service through device manipulation. Given the devices' role in infrastructure management, the threat extends to operational technology environments, increasing the risk of physical damage or safety hazards. The absence of required user interaction and low complexity of exploitation further elevate the threat level.

Organizations should immediately verify the firmware versions of all tinycontrol devices in their environment and upgrade to the patched versions: 1.36 for tcPDU, 1.67 for LK3.5, 1.75 for LK3.9, and 1.38 for LK4. Network segmentation should be enforced to isolate management interfaces of these devices from general user networks, limiting access to trusted administrators only. Implement strict access control lists (ACLs) and firewall rules to restrict access to device management ports. Monitor network traffic for unusual direct requests or forced browsing attempts targeting device endpoints. Employ multi-factor authentication (MFA) where supported to add an additional layer of security. Regularly audit device configurations and access logs to detect unauthorized access attempts. If firmware updates cannot be immediately applied, consider disabling web management interfaces or restricting them to secure management VLANs. Coordinate with tinycontrol support for any additional security advisories or mitigation guidance.