CVE-2025-5484

HIGH

SinoTrack - Auth Bypass

Title source: llm

Description

A username and password are required to authenticate to the central SinoTrack device management interface. The username for all devices is an identifier printed on the receiver. The default password is well-known and common to all devices. Modification of the default password is not enforced during device setup. A malicious actor can retrieve device identifiers with either physical access or by capturing identifiers from pictures of the devices posted on publicly accessible websites such as eBay.

References (2)

[Various Sources] https://www.sinotrackgps.com/help-center

[Third Party Advisory, US Government Resource] https://www.cisa.gov/news-events/ics-advisories/icsa-25-160-01

Scores

CVSS v3 8.3

EPSS 0.0023

EPSS Percentile 45.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1390

Status published

Products (1)

SinoTrack/IOT PC Platform All versions

Published Jun 12, 2025

Tracked Since Feb 18, 2026