QwikSec

Security Database

CVE

CWE

Training

CVE-2025-25037

Published: Jun 20, 2025

Modified: Apr 7, 2026

PUBLISHED

Description

An information disclosure vulnerability exists in Aquatronica Controller System firmware versions <= 5.1.6 and web interface versions <= 2.0. The tcp.php endpoint fails to restrict unauthenticated access, allowing remote attackers to issue crafted POST requests and retrieve sensitive configuration data, including plaintext administrative credentials. Exploitation of this flaw can lead to full compromise of the system, enabling unauthorized manipulation of connected devices and aquarium parameters.

Vendor	Product	Versions
Aquatronica	Aquatronica Controller System	affected `0 - <= 5.1.6`

Weaknesses (CWE)

References

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5824.php

exploit

third-party-advisory

https://www.exploit-db.com/exploits/52028

exploit

third-party-advisory

https://fortiguard.fortinet.com/encyclopedia/ips/56008

third-party-advisory

https://www.aquatronica.com

product

https://vulncheck.com/advisories/aquatronica-controller-system-credential-leak

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.