Tinycontrol LAN Controller v3 LK3 version 1.58a contains an unauthenticated vulnerability that allows remote attackers to download configuration backup files containing sensitive credentials. Attackers can retrieve the lk3_settings.bin file and extract base64-encoded user and admin passwords without authentication.
An attacker without any authentication can remotely download the configuration file lk3_settings.bin directly from the device. This file contains user and administrator passwords encoded in Base64 — this encoding is not a form of encryption and is trivially reversible. The vulnerability falls under the CWE-260 category (Password in Configuration File), where sensitive authentication data is stored in an insufficiently secured manner and is accessible without authorization.
The attacker gains full access credentials (user and administrator passwords) to the controller, enabling complete takeover of the device and potentially the network or industrial infrastructure it controls.
Apply patches available from the vendor according to the references. As a remedial measure, immediately restrict network access to the device to trusted hosts only (e.g., through firewall or network segmentation) and change administrator and user passwords after applying the update.
Tinycontrol LAN Controller v3 LK3 version 1.58a
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X