CVE-2025-44614 is a high-severity vulnerability affecting the Tinxy WiFi Lock Controller v1 RF. The core issue is the storage of sensitive user information, including credentials and mobile phone numbers, in plaintext. This vulnerability corresponds to CWE-312, which denotes the cleartext storage of sensitive information. Because the data is stored without encryption or adequate protection, an attacker who gains access to the device's storage or backup data can easily extract this sensitive information. The CVSS v3.1 base score is 7.5, indicating a high severity level. The vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N shows that the vulnerability can be exploited remotely over the network without any privileges or user interaction, and it results in a complete confidentiality breach (high confidentiality impact) but does not affect integrity or availability. No known exploits are currently reported in the wild, and no patches have been published yet. The lack of vendor or product details limits the ability to pinpoint exact affected models or firmware versions, but the vulnerability is specific to the Tinxy WiFi Lock Controller v1 RF device. This device likely manages access control via WiFi and radio frequency communication, making it a critical component in physical security systems. The plaintext storage of credentials and phone numbers could allow attackers to impersonate users, intercept or manipulate access control, or conduct targeted social engineering attacks.

For European organizations, especially those relying on Tinxy WiFi Lock Controllers for physical access management, this vulnerability poses a significant risk. The exposure of credentials and phone numbers can lead to unauthorized physical access to sensitive facilities, data centers, or restricted areas, potentially resulting in theft, espionage, or sabotage. Confidentiality breaches of user credentials also increase the risk of lateral attacks within the organization's network if the same credentials are reused or if attackers leverage the information for phishing campaigns. The lack of integrity and availability impact means the device's operation might not be directly disrupted, but the confidentiality compromise alone can have severe consequences. Organizations in sectors such as finance, government, healthcare, and critical infrastructure in Europe are particularly vulnerable due to the sensitive nature of their physical security. Additionally, the remote exploitability without authentication or user interaction increases the attack surface and urgency for mitigation.

Given the absence of official patches, European organizations should immediately assess their deployment of Tinxy WiFi Lock Controller v1 RF devices. Practical mitigation steps include: 1) Isolate the affected devices on segmented, secured networks to limit remote access exposure. 2) Implement strict network access controls and monitor network traffic for unusual activity targeting these devices. 3) Change all credentials associated with the devices and enforce strong, unique passwords. 4) If possible, disable remote management features until a patch is available. 5) Employ additional physical security controls as a compensating measure, such as manual locks or alternative authentication methods. 6) Engage with the vendor or supplier to obtain timelines for patches or firmware updates and request secure storage practices. 7) Conduct regular audits of device configurations and stored data to detect any unauthorized access. 8) Educate users about the risks of credential exposure and train them to recognize phishing attempts that could leverage leaked phone numbers.