CVE-2025-5484

12.06.2025, 20:15

A username and password are required to authenticate to the central
SinoTrack device management interface. The username for all devices is
an identifier printed on the receiver. The default password is
well-known and common to all devices. Modification of the default
password is not enforced during device setup. A malicious actor can
retrieve device identifiers with either physical access or by capturing
identifiers from pictures of the devices posted on publicly accessible
websites such as eBay.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.3 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
icscert	CNA	8.3 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
CISA-ADP	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-1390 - Weak Authentication
The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.

Vulnerability Media Exposure

[ENGLISH] SinoTrack GPS Devices Vulnerable to Remote Vehicle Control via Default Passwords
Two security vulnerabilities have been disclosed in SinoTrack GPS devices that could be exploited to control certain remote functions on connected vehicles and even track their locations. "Successful exploitation of these vulnerabilities could allow an attacker to access device profiles without authorization through the common web management interface," the U.S. Cybersecurity and Infrastructure
Published: 2025-06-11T15:58:00+05:30

References

https://www.cisa.gov/news-events/ics-advisories/icsa-25-160-01

https://www.sinotrackgps.com/help-center