CVE-2025-5484

A username and password are required to authenticate to the central SinoTrack device management interface. The username for all devices is an identifier printed on the receiver. The default password is well-known and common to all devices. Modification of the default password is not enforced during device setup. A malicious actor can retrieve device identifiers with either physical access or by capturing identifiers from pictures of the devices posted on publicly accessible websites such as eBay.

CVSS v3 8.3 HIGH

8.3^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-25-160-01
https://www.sinotrackgps.com/help-center

Configurations

No configuration.

History

16 Jun 2025, 12:32

Type	Values Removed	Values Added
Summary		(es) Se requiere un nombre de usuario y una contraseña para autenticarse en la interfaz central de gestión de dispositivos de SinoTrack. El nombre de usuario para todos los dispositivos es un identificador impreso en el receptor. La contraseña predeterminada es conocida y común para todos los dispositivos. La modificación de la contraseña predeterminada no se aplica durante la configuración del dispositivo. Un atacante puede obtener los identificadores de los dispositivos mediante acceso físico o mediante la captura de identificadores de imágenes de los dispositivos publicadas en sitios web de acceso público como eBay.

12 Jun 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-12 20:15

Updated : 2025-06-16 12:32

NVD link : CVE-2025-5484

Mitre link : CVE-2025-5484

CVE.ORG link : CVE-2025-5484

JSON object : View

Products Affected

No product.

CWE

CWE-1390

{"id": "CVE-2025-5484", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.5, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-06-12T20:15:22.113", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-160-01", "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.sinotrackgps.com/help-center", "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-1390"}]}], "descriptions": [{"lang": "en", "value": "A username and password are required to authenticate to the central \nSinoTrack device management interface. The username for all devices is \nan identifier printed on the receiver. The default password is \nwell-known and common to all devices. Modification of the default \npassword is not enforced during device setup. A malicious actor can \nretrieve device identifiers with either physical access or by capturing \nidentifiers from pictures of the devices posted on publicly accessible \nwebsites such as eBay."}, {"lang": "es", "value": "Se requiere un nombre de usuario y una contrase\u00f1a para autenticarse en la interfaz central de gesti\u00f3n de dispositivos de SinoTrack. El nombre de usuario para todos los dispositivos es un identificador impreso en el receptor. La contrase\u00f1a predeterminada es conocida y com\u00fan para todos los dispositivos. La modificaci\u00f3n de la contrase\u00f1a predeterminada no se aplica durante la configuraci\u00f3n del dispositivo. Un atacante puede obtener los identificadores de los dispositivos mediante acceso f\u00edsico o mediante la captura de identificadores de im\u00e1genes de los dispositivos publicadas en sitios web de acceso p\u00fablico como eBay."}], "lastModified": "2025-06-16T12:32:18.840", "sourceIdentifier": "ics-cert@hq.dhs.gov"}