CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-2189: Information Disclosure Vulnerability in Tinxy Smart Devices

5.1 CVSS

Description

This vulnerability exists in the Tinxy smart devices due to storage of credentials in plaintext within the device firmware. An attacker with physical access could exploit this by extracting the firmware and analyzing the binary data to obtain the plaintext credentials stored on the vulnerable device.

Classification

CVE ID: CVE-2025-2189

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.1

CVSS Vector: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

Problem Types

CWE-312: Cleartext Storage of Sensitive Information

Affected Products

Vendor: Mogify Infotech, Mogify Infotech, Mogify Infotech, Mogify Infotech, Mogify Infotech, Mogify Infotech

Product: Tinxy Wi-Fi Lock Controller v1 RF, Tinxy Door Lock with Wi-Fi Controller, Tinxy 1 Node 10A and 16A Smart Wi-Fi Switches, Tinxy 2, 4 and 6 Node Smart Wi-Fi Switches, Tinxy Smart 15 Watts 3 in 1 Square Panel Ceiling Light, Tinxy Smart 8 Watts 3 in 1 Round Panel Ceiling Light

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.01% (probability of being exploited)

EPSS Percentile: 0.58% (scored less or equal to compared to others)

EPSS Date: 2025-04-09 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-2189
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2025-0043

Timeline

2025-03-11 12:40:12 UTC
CVE

Information Disclosure Vulnerability in Tinxy Smart Devices