CVE-2025-44614 – The Tinxy WiFi Lock Controller v1 RF stores sen... (How to Fix)

Q: What is the severity of CVE-2025-44614?

CVE-2025-44614 has a CVSS score of 7.5 (HIGH). The Tinxy WiFi Lock Controller v1 RF stores sensitive user information including credentials and phone numbers in plaintext, allowing attackers with access to the device or its storage to read this data. This affects all users of the vulnerable Tinxy WiFi Lock Controller v1 RF device.

📋 TL;DR

The Tinxy WiFi Lock Controller v1 RF stores sensitive user information including credentials and phone numbers in plaintext, allowing attackers with access to the device or its storage to read this data. This affects all users of the vulnerable Tinxy WiFi Lock Controller v1 RF device.

💻 Affected Systems

Products:

Tinxy WiFi Lock Controller v1 RF

Versions: All versions prior to any security patch

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices with default configuration are vulnerable as this is a design flaw in how data is stored.

📦 What is this software?

Wifi Lock Controller V1 Rf Firmware by Tinxy

View all CVEs affecting Wifi Lock Controller V1 Rf Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain physical or network access to the device, extract all stored credentials and phone numbers, then use them for credential stuffing attacks, identity theft, or unauthorized access to user accounts.

🟠

Likely Case

Malicious actors with physical access to the device or compromised network access can read stored credentials and personal information, potentially leading to account compromise.

🟢

If Mitigated

With proper network segmentation and physical security controls, the impact is limited to authorized personnel who could still potentially access sensitive data.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires physical access to the device or access to its storage system. The GitHub reference shows detailed analysis of the plaintext storage.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Contact Tinxy vendor for firmware updates or replacement options.

🔧 Temporary Workarounds

Disconnect from networks

all

Remove the device from WiFi networks to prevent remote access

Physical security controls

all

Implement strict physical access controls to prevent unauthorized device access

🧯 If You Can't Patch

Isolate the device on a separate network segment with strict firewall rules
Implement physical security measures to prevent unauthorized access to the device

🔍 How to Verify

Check if Vulnerable:

Check device storage or memory for plaintext credentials and phone numbers. The GitHub reference shows specific memory locations where data is stored.

Check Version:

No standard command - check device firmware version through manufacturer interface

Verify Fix Applied:

Verify that sensitive data is encrypted in storage by checking the same memory locations that previously contained plaintext data.

📡 Detection & Monitoring

Log Indicators:

Unauthorized physical access attempts
Unusual network access patterns to the device

Network Indicators:

Unexpected connections to the device's management interface
Traffic patterns suggesting data extraction

SIEM Query:

No standard SIEM query available due to embedded nature of device

📊 Metadata

CVE ID: CVE-2025-44614

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-312

EPSS Score: 0.04% exploit probability (11.2th percentile)

Published: May 30, 2025

Last Updated: July 22, 2025

🔗 References

https://github.com/ShravanSinghRathore/Tinxy/wiki/1.-WiFi-Lock-Controller-v1-RF-%281%E2%80%909%29 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-44614, you might also want to check these: