Uffizio GPS Tracker

Act Now9.8ICS-CERT ICSA-21-287-02Oct 14, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Uffizio GPS Tracker contains multiple vulnerabilities affecting input validation (CWE-284), file upload handling (CWE-434), URL redirects (CWE-601), cross-site scripting (CWE-79), and CSRF protection (CWE-352). An attacker with network access can view sensitive information, execute code on the device, redirect users to arbitrary domains, and perform unauthorized actions. The vendor has not supplied mitigations or patches and recommends users contact them directly for information.

What this means

What could happen

An attacker with network access to the GPS Tracker could view sensitive location and user data, execute arbitrary commands on the device, redirect users to malicious websites, or perform unauthorized actions without user consent. This could compromise operational awareness and enable further network compromise.

Who's at risk

Any organization using Uffizio GPS Tracker for vehicle or asset location monitoring, including fleet management operations, logistics providers, and public sector agencies tracking municipal vehicles or equipment. This affects anyone relying on the tracker for operational visibility.

How it could be exploited

An attacker on the same network as the GPS Tracker (or with internet access if the device is exposed) could send specially crafted requests to exploit insecure input handling and missing authentication checks. By uploading malicious files, injecting code, or manipulating redirects, the attacker gains the ability to run commands or extract sensitive tracking data.

Prerequisites

Network access to the GPS Tracker device
No credentials required

Remotely exploitableNo authentication requiredLow complexity attackNo patch availableCritical severity

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

GPS Tracker: All VersionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict network access to the GPS Tracker by placing it behind a firewall and isolating it from the business network

HARDENINGEnsure the GPS Tracker is not accessible from the Internet; audit and block any inbound routes from external networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGIf remote access to the GPS Tracker is required, implement a VPN with strong encryption and current security patches; restrict VPN access to authorized personnel only

HARDENINGMonitor the device for suspicious activity and establish logging to detect unauthorized access attempts or file uploads

Mitigations - no patch available

0/1

GPS Tracker: All Versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGSegment the network so the GPS Tracker operates on a separate VLAN or DMZ from critical operational equipment and business systems

CVEs (5)

CVE-2020-17483 CVE-2020-17485 CVE-2020-17484 CVE-2021-32927 CVE-2021-32929

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1ecd996e-781f-4daa-8f80-410f773fc962