Cyber Resilience

CVE-2025-11500

High

Published: 16 March 2026

Published
16 March 2026
Modified
19 May 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0027 19.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-11500 is a high-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in Tinycontrol (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, ranked at the 19.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 have two separate authentication mechanisms - one solely for interface management and one for protecting all other server resources. When the latter is turned off (which is a…

more

default setting), an unauthenticated attacker on the local network can obtain usernames and encoded passwords for interface management portal by inspecting the HTTP response of the server when visiting the login page, which contains a JSON file with these details. Both normal and admin users credentials are exposed. This issue has been fixed in firmware versions: 1.36 (for tcPDU), 1.67 (for LK3.5 - hardware versions: 3.5, 3.6, 3.7 and 3.8), 1.75 (for LK3.9 - hardware version 3.9) and 1.38 (for LK4 - hardware version 4.0).

CWE(s)

Related Threats

CVEs Like This One

CVE-2025-31229Shared CWE-261
CVE-2024-13254Shared CWE-201
CVE-2020-37093Shared CWE-201
CVE-2026-27406Shared CWE-201
CVE-2023-38013Shared CWE-201
CVE-2025-2862Shared CWE-261
CVE-2026-24430Shared CWE-201
CVE-2020-37150Shared CWE-201
CVE-2026-39912Shared CWE-201
CVE-2026-4525Shared CWE-201

Affected Assets

Tinycontrol
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-201

Embedding taints allows detection when sensitive data is inserted into outbound or sent data streams.

References