Tinycontrol LAN Controller v3 (LK3) Remote DoS

Advisories

severity: high
date: November 12, 2025
Affecting: LK3 firmware versions <= 1.58a, hardware versions <= 3.8
An affected version range remains undefined
CVE: CVE-2023-7329
CWE: CWE-306 Missing Authentication for Critical Function
CVSS: 8.7
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
References: Zero Science Lab Disclosure
ExploitDB-51730
Packet-Storm-Security-174455
IBM-X-Force-275810
tinycontrol Product Site
Credit: Gjoko Krstic of Zero Science Lab
Description: Tinycontrol LAN Controller v3 (LK3) firmware versions up to 1.58a (hardware v3.8) contain a missing authentication vulnerability in the stm.cgi endpoint. A remote, unauthenticated attacker can send crafted requests to forcibly reboot the device or restore factory settings, leading to a denial of service and configuration loss.