CVE-2023-54327

Tinycontrol LAN Controller version 1.58a is affected by CVE-2023-54327, an authentication bypass vulnerability stemming from CWE-862 (Missing Authorization). The flaw enables unauthenticated attackers to submit a specially crafted API request to the /stm.cgi endpoint, using a manipulated authentication parameter to disable access controls and modify administrative credentials, including changing admin passwords. This issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and high impact on confidentiality, integrity, and availability.

Unauthenticated remote attackers can exploit this vulnerability with low complexity and no user interaction required. By sending the crafted request, they gain the ability to overwrite admin passwords, effectively seizing full administrative control of the device. This could lead to complete compromise of the LAN controller, potentially allowing further network pivoting or disruption of connected systems.

Advisories from VulnCheck and Zero Science Laboratory (ZSL-2023-5787) describe the vulnerability in detail, with a proof-of-concept exploit published on Exploit-DB (EDB-ID: 51732). The vendor's site at tinycontrol.pl is referenced, though specific patch or mitigation instructions are not detailed in available sources. Security practitioners should isolate affected devices and monitor for anomalous /stm.cgi requests until updates are confirmed.