High

Improper Access Control in Uffizio GPS Tracker

IdentifiersCVE-2020-17483CWE-284

CVE-2020-17483 is an improper access control vulnerability in all versions of Uffizio's GPS Tracker. The application exposes sensitive information about all connected devices via a JSON response when accessing the host on port 9000. This allows unauthenticated users to retrieve details about every deployed device.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Attackers can obtain sensitive information about all devices connected to the Uffizio GPS Tracker system, potentially including device identifiers, locations, and other private data. This can lead to privacy violations, tracking, and further targeted attacks against device owners or the infrastructure.

Mitigation

If you can’t patch tonight, do this now.

Restrict network access to port 9000 to trusted hosts only, such as through firewall rules or network segmentation, until a patch is available. Monitor access logs for suspicious activity targeting this endpoint.

Remediation

Patch, then assume compromise.

Implement proper authentication and authorization checks on the endpoint exposed on port 9000 to ensure that only authorized users can access device information. Limit the information returned to only what is necessary for authenticated users.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

UffizioGps Trackerapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

medium deepspecterNews

Jul 7, 2025

The GPS Leak No One Talked About: Uffizio’s Silent Exposure | by Deep Specter Research | Medium

An improper access control vulnerability in Uffizio GPS Tracker / rebranded fleet management deployments where port 9000 exposes a JSON endpoint that reveals information about deployed GPS devices, including historically sensitive fleet and subscriber data.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2020-17483

NVD

nvd.nist.gov/vuln/detail/CVE-2020-17483

MITRE CWE · CWE-284

cwe.mitre.org

Third Party Advisory

cisa.gov/news-events/ics-advisories/icsa-21-287-02

Product

uffizio.com