CVE-2025-5484

high

Description

A username and password are required to authenticate to the central SinoTrack device management interface. The username for all devices is an identifier printed on the receiver. The default password is well-known and common to all devices. Modification of the default password is not enforced during device setup. A malicious actor can retrieve device identifiers with either physical access or by capturing identifiers from pictures of the devices posted on publicly accessible websites such as eBay.

References

References
More

https://hackread.com/cisa-remote-control-flaws-sinotrack-gps-trackers/

https://www.cisa.gov/news-events/ics-advisories/icsa-25-160-01

https://www.sinotrackgps.com/help-center

Details

Source: Mitre, NVD

Published: 2025-06-12

Updated: 2025-06-12

Risk Information

CVSS v2

Base Score: 9.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:P

Severity: High

CVSS v3

Base Score: 8.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L

Severity: High

CVSS v4

Base Score: 7.6

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Severity: High