CVE-2025-25037

Aquatronica Controller System Complete Information Disclosure

CVSS 9.3 CRITICALEPSS 1.4%CWE-200

Vexday Risk Score

63High priority

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 9.3EPSS 1.4%KEV nãoPoC públicaNuclei simMetasploit —Patch —

Lifecycle

20 Jun 2025Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

An information disclosure vulnerability exists in Aquatronica Controller System firmware versions <= 5.1.6 and web interface versions <= 2.0. The tcp.php endpoint fails to restrict unauthenticated access, allowing remote attackers to issue crafted POST requests and retrieve sensitive configuration data, including plaintext administrative credentials. Exploitation of this flaw can lead to full compromise of the system, enabling unauthorized manipulation of connected devices and aquarium parameters.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

Affected products

Aquatronica · Aquatronica Controller System

public PoCs found — 2

cve_referencewww.exploit-db.com/exploits/52028unverified cve_referencewww.zeroscience.mk/en/vulnerabilities/ZSL-2024-5824.phpunverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://fortiguard.fortinet.com/encyclopedia/ips/56008 https://vulncheck.com/advisories/aquatronica-controller-system-credential-leak https://www.aquatronica.com https://www.exploit-db.com/exploits/52028 https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5824.php