Paweł Różański

**Name of the Vulnerable Software and Affected Versions** tcPDU versions prior to 1.36 LAN Controller LK3.5 versions prior to 1.67 LAN Controller LK3.9 versions prior to 1.75 LAN Controller LK4 versions prior to 1.38 **Description** Tinycontrol devices, including tcPDU and LAN Controllers LK3.5, LK3.9, and LK4, have two authentication mechanisms: one for interface management and another for other server resources. When the latter is disabled (the default setting), an unauthenticated attacker on the local network can retrieve usernames and encoded passwords for the interface management portal by examining the HTTP response from the login page, which includes a JSON file containing these credentials. Both standard and administrator user credentials are exposed. **Recommendations** tcPDU: Update to firmware version 1.36 or later. LAN Controller LK3.5: Update to firmware version 1.67 or later. LAN Controller LK3.9: Update to firmware version 1.75 or later. LAN Controller LK4: Update to firmware version 1.38 or later.