Cyber Resilience

CVE-2025-44614

High

Published: 30 May 2025

Published
30 May 2025
Modified
22 July 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0017 37.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-44614 is a high-severity Cleartext Storage of Sensitive Information (CWE-312) vulnerability in Tinxy Wifi Lock Controller V1 Rf Firmware. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Sniffing (T1040); ranked at the 37.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Tinxy WiFi Lock Controller v1 RF was discovered to store users' sensitive information, including credentials and mobile phone numbers, in plaintext.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1040 Network Sniffing Credential Access
Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

Plaintext storage of credentials and sensitive data in firmware/files (T1552.001), unsecured transmissions enabling network sniffing (T1040) and adversary-in-the-middle attacks (T1557).

Affected Assets

tinxy
wifi lock controller v1 rf firmware
all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-312

Training on secure data handling discourages cleartext storage of sensitive information.

addresses: CWE-312

Data action mapping can detect storage actions that leave sensitive information in cleartext.

addresses: CWE-312

Configuration policies can mandate secure storage methods to avoid cleartext storage of sensitive information.

addresses: CWE-312

Policy requires protection measures such as encryption for sensitive data stored on media, preventing cleartext exposure.

addresses: CWE-312

Key-management policy requires protected storage of key material, preventing cleartext storage of sensitive cryptographic keys.

addresses: CWE-312

Requiring confidentiality protection for information at rest eliminates cleartext storage of sensitive data on persistent media.

addresses: CWE-312

Reduces cleartext storage of sensitive data when OPSEC identifies and mandates protection of key information artifacts.

References