CVE-2025-5485

Summary

User names used to access the web management interface are limited to the device identifier, which is a numerical identifier no more than 10 digits. A malicious actor can enumerate potential targets by incrementing or decrementing from known identifiers or through enumerating random digit sequences.

Affected Software

VendorProductVersion RangeStatus
SinoTrackIOT PC PlatformAll versionsaffected

Weaknesses

  • CWE-204: CWE-204

Workarounds

SinoTrack did not respond to CISA's request for coordination. Please contact SinoTrack https://www.sinotrackgps.com/help-center for more information.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References