Aquatronica Controller System Credential Leak

Advisories

Aquatronica Controller System Credential Leak

severity: critical
date: 6/20/2025
Affecting: Aquatronica Controller System <= 5.1.6
An affected version range remains undefined
CVE: CVE-2025-25037
CVE type: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CVSS: 9.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
References: Shadowserver Exploitation Evidence
Zero Science Lab Disclosure (ZSL-2024-5824)
ExploitDB-52028
Credit: Gjoko Krstic of Zero Science
Description: An information disclosure vulnerability exists in Aquatronica Controller System firmware versions <= 5.1.6 and web interface versions <= 2.0. The tcp.php endpoint fails to restrict unauthenticated access, allowing remote attackers to issue crafted POST requests and retrieve sensitive configuration data, including plaintext administrative credentials. Exploitation of this flaw can lead to full compromise of the system, enabling unauthorized manipulation of connected devices and aquarium parameters. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-03 UTC.
VulnCheck KEV: This advisory is in the VulnCheck KEV database

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo