Primary

Context

Tinycontrol LAN Controller Authentication Bypass Vulnerability Allowing Unauthenticated Password Changes

Vulnerability

An authentication bypass vulnerability has been identified in Tinycontrol LAN Controller version 1.58a on hardware version 3.8. This vulnerability allows unauthenticated attackers to change admin passwords by sending a crafted API request to the /stm.cgi endpoint. The exploitation involves manipulating the authentication parameter to disable access controls, thereby gaining unauthorized access to the administrative panel.

Impact

Exploitation of this vulnerability leads to unauthorized password changes, allowing attackers to gain administrative access on the affected device.

Reproduction

To reproduce this vulnerability, send a request to the /stm.cgi endpoint with a crafted authentication parameter that includes the base64-encoded desired admin password. This request can be made using a tool like curl.

Added: Dec 30, 2025, 11:24 PM

Updated: Dec 30, 2025, 11:24 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

0.0

relevance

1.8

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

0.0

relevance

1.8

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tinycontrol LAN Controller Authentication Bypass Vulnerability Allowing Unauthenticated Password Changes

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating