CVE-2023-54327
CRITICAL WAF: Low
CVSS 9.8
Published: 2025-12-30
CWE-862
Tinycontrol LAN Controller 1.58a contains an authentication bypass vulnerability that allows unauthenticated attackers to change admin passwords through a crafted API request. Attackers can exploit the /stm.cgi endpoint with a specially crafted authentication parameter to disable access controls and modify administrative credentials.
WAF Coverage Analysis
Missing Authorization
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| tinycontrol | lan_controller_firmware | up to 1.58a |
References
- www.exploit-db.com (Exploit, Third Party Advisory)
- www.tinycontrol.pl (Product)
- www.vulncheck.com (Third Party Advisory)
- www.zeroscience.mk (Exploit, Third Party Advisory)