CVE-2023-53739

Summary

Tinycontrol LAN Controller v3 LK3 version 1.58a contains an unauthenticated vulnerability that allows remote attackers to download configuration backup files containing sensitive credentials. Attackers can retrieve the lk3_settings.bin file and extract base64-encoded user and admin passwords without authentication.

Affected Software

VendorProductVersion RangeStatus
TinycontrolTinycontrol LAN Controller v<=1.58aaffected
TinycontrolTinycontrol LAN Controller vHW 3.8affected
TinycontrolLK<=1.58aaffected
TinycontrolLKHW 3.8affected

Weaknesses

  • CWE-260: CWE-260: Password in Configuration File

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

References