Primary

Context

Tinycontrol LAN Controller Missing Authentication Vulnerability in stm.cgi Endpoint Allowing Remote Denial-of-Service

Vulnerability

A missing authentication vulnerability has been identified in Tinycontrol LAN Controller v3 (LK3) firmware versions through 1.58a, hardware v3.8. The vulnerability exists in the stm.cgi endpoint, where a remote, unauthenticated attacker can send crafted requests to forcibly reboot the device or restore factory settings. This exploitation leads to a denial-of-service condition and loss of configuration.

Impact

Exploitation of this vulnerability causes a remote denial-of-service condition by rebooting the device or resetting it to factory settings, resulting in a loss of configuration.

Reproduction

To reproduce this vulnerability, send a request to the stm.cgi endpoint with the eeprom_reset parameter set to 1 to restore factory settings, or with the lk3restart parameter set to 1 to reboot the controller.

Added: Nov 12, 2025, 11:01 PM

Updated: Nov 12, 2025, 11:01 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

1.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

1.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tinycontrol LAN Controller Missing Authentication Vulnerability in stm.cgi Endpoint Allowing Remote Denial-of-Service

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating