CVE-2025-15587

CVE-2025-15587 is a high-severity vulnerability with a CVSS 4.0 base score of 8.6. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-425.

Key facts

Description

Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 allow a low privileged user to read an administrator's password by directly accessing a specific resource inaccessible via a graphical interface. This issue has been fixed in firmware versions: 1.36 (for tcPDU), 1.67 (for LK3.5 - hardware versions: 3.5, 3.6, 3.7 and 3.8), 1.75 (for LK3.9 - hardware version 3.9) and 1.38 (for LK4 - hardware version 4.0).

Frequently asked questions

What is CVE-2025-15587?
Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 allow a low privileged user to read an administrator's password by directly accessing a specific resource inaccessible via a graphical interface. This issue has been fixed in firmware versions: 1.36 (for tcPDU), 1.67 (for LK3.5 - hardware versions: 3.5, 3.6, 3.7 and 3.8), 1.75 (for LK3.9 - hardware version 3.9) and 1.38 (for LK4 - hardware version 4.0).
How severe is CVE-2025-15587?
CVE-2025-15587 has a CVSS 4.0 base score of 8.6, rated high severity.
Is CVE-2025-15587 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (7th percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2025-15587?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
Does CVE-2025-15587 have an EU (EUVD) identifier?
Yes. CVE-2025-15587 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-208690.
When was CVE-2025-15587 published?
CVE-2025-15587 was published on 2026-03-16 and last updated on 2026-06-17.

References

Other CWE-425 vulnerabilities

Browse all CWE-425 vulnerabilities →