Login Sign Up

CVE-2020-17483

7.5 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows unauthenticated attackers to access sensitive information about all connected GPS tracking devices by querying port 9000 on Uffizio GPS Tracker systems. The exposed JSON data includes detailed device information that could enable further attacks. All organizations using Uffizio GPS Tracker are affected.

💻 Affected Systems

Products:
  • Uffizio GPS Tracker
Versions: All versions
Operating Systems: Unknown
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability affects the web interface on port 9000. Any system with this service exposed is vulnerable.

📦 What is this software?

Gps Tracker by Uffizio

View all CVEs affecting Gps Tracker →

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could map all deployed GPS devices, track their locations in real-time, compromise device integrity, and potentially pivot to internal networks through connected devices.

🟠

Likely Case

Attackers will harvest sensitive device information including locations, identifiers, and configuration details, enabling surveillance, device spoofing, or preparation for more sophisticated attacks.

🟢

If Mitigated

With proper network segmentation and access controls, the exposure would be limited to authorized internal users only, preventing external exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only HTTP GET requests to port 9000. No authentication or special tools needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.uffizio.com/

Restart Required: No

Instructions:

No official patch available. Contact vendor for updates and implement workarounds immediately.

🔧 Temporary Workarounds

Block Port 9000 at Firewall

all

Prevent external access to the vulnerable service

iptables -A INPUT -p tcp --dport 9000 -j DROP
netsh advfirewall firewall add rule name="Block Uffizio Port" dir=in action=block protocol=TCP localport=9000

Network Segmentation

all

Isolate GPS tracker systems from internet and restrict internal access

🧯 If You Can't Patch

  • Implement strict network access controls to limit connections to port 9000 only from authorized management systems
  • Monitor network traffic to port 9000 for unauthorized access attempts and implement alerting

🔍 How to Verify

Check if Vulnerable:

Run: curl -s http://<target_ip>:9000 | grep -i device || wget -qO- http://<target_ip>:9000

Check Version:

Unknown - check vendor documentation or web interface

Verify Fix Applied:

Verify port 9000 is not accessible externally and test from authorized internal systems only

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to port 9000 from unauthorized IPs
  • Large JSON responses from GPS tracker service

Network Indicators:

  • TCP connections to port 9000 from external IPs
  • HTTP GET requests to root path on port 9000

SIEM Query:

source_port=9000 AND (src_ip NOT IN [authorized_ips]) OR dest_port=9000 AND (dest_ip IN [gps_tracker_ips])

📊 Metadata

CVE ID: CVE-2020-17483
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Published: December 16, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON