CVE-2025-2189
5.1
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N
Summary
This vulnerability exists in the Tinxy smart devices due to storage of credentials in plaintext within the device firmware. An attacker with physical access could exploit this by extracting the firmware and analyzing the binary data to obtain the plaintext credentials stored on the vulnerable device.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Mogify Infotech | Tinxy Wi-Fi Lock Controller v1 RF | all versions | affected |
| Mogify Infotech | Tinxy Door Lock with Wi-Fi Controller | all versions | affected |
| Mogify Infotech | Tinxy 1 Node 10A and 16A Smart Wi-Fi Switches | all versions | affected |
| Mogify Infotech | Tinxy 2, 4 and 6 Node Smart Wi-Fi Switches | all versions | affected |
| Mogify Infotech | Tinxy Smart 15 Watts 3 in 1 Square Panel Ceiling Light | all versions | affected |
| Mogify Infotech | Tinxy Smart 8 Watts 3 in 1 Round Panel Ceiling Light | all versions | affected |
Weaknesses
- CWE-312: CWE-312: Cleartext Storage of Sensitive Information
Workarounds
Perform risk assessment and implement physical security controls to prevent unauthorized access to the device.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.