CVE-2025-25037 CRITICAL

CVE-2025-25037: Aquatronica Controller System Complete Information Disclosure

Vendor Aquatronica
Product Aquatronica Controller System
Weakness CWE-200 · Info exposure
Published June 20, 2025
Last update April 7, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

What the vulnerability does

01Description

An information disclosure vulnerability exists in Aquatronica Controller System firmware versions <= 5.1.6 and web interface versions <= 2.0. The tcp.php endpoint fails to restrict unauthenticated access, allowing remote attackers to issue crafted POST requests and retrieve sensitive configuration data, including plaintext administrative credentials. Exploitation of this flaw can lead to full compromise of the system, enabling unauthorized manipulation of connected devices and aquarium parameters.

Key dates

02Disclosure timeline

June 20, 2025 CVE published
April 7, 2026 Record updated