SecuriTricks - CVE-2025-5484

Description

A username and password are required to authenticate to the central SinoTrack device management interface. The username for all devices is an identifier printed on the receiver. The default password is well-known and common to all devices. Modification of the default password is not enforced during device setup. A malicious actor can retrieve device identifiers with either physical access or by capturing identifiers from pictures of the devices posted on publicly accessible websites such as eBay.

Product(s) Impacted

Vendor	Product	Versions
Sino Track	Device Management Interface	*

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-1390

Weak Authentication

The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	sino_track	device_management_interface	/	/	/	/	/	/	/	/

References

https://www.cisa.gov/news-events/ics-advisories/icsa-25-160-01

https://www.sinotrackgps.com/help-center

CVSS Score

7.6 / 10

CVSS Data - 4.0

Attack Vector: NETWORK
Attack Complexity: LOW
Attack Requirements: PRESENT
Privileges Required: NONE
User Interaction: PASSIVE
Scope:
Confidentiality Impact: HIGH
Integrity Impact: HIGH
Availability Impact: LOW
Exploit Maturity: NOT_DEFINED

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

View Vector String

Timeline

Published: June 12, 2025, 8:15 p.m.
Last Modified: June 12, 2025, 8:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

ics-cert@hq.dhs.gov

CVE-2025-5484