CVE-2025-25037

critical

Description

An information disclosure vulnerability exists in Aquatronica Controller System firmware versions <= 5.1.6 and web interface versions <= 2.0. The tcp.php endpoint fails to restrict unauthenticated access, allowing remote attackers to issue crafted POST requests and retrieve sensitive configuration data, including plaintext administrative credentials. Exploitation of this flaw can lead to full compromise of the system, enabling unauthorized manipulation of connected devices and aquarium parameters.

References

Exploits
More

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5824.php

https://www.exploit-db.com/exploits/52028

https://www.aquatronica.com

https://vulncheck.com/advisories/aquatronica-controller-system-credential-leak

https://fortiguard.fortinet.com/encyclopedia/ips/56008

Details

Source: Mitre, NVD

Published: 2025-06-20

Updated: 2025-06-23

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High

CVSS v4

Base Score: 9.3

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

Severity: Critical

EPSS

EPSS: 0.00146