CVE-2025-51643
BaseFortify
Publication date: 2025-08-28
Last updated on: 2025-10-02
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| meitrack | t366l-g_firmware | t366l_y24h131v039 |
| meitrack | t366l-g | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in Meitrack T366G-L GPS Tracker devices involves an unprotected SPI flash memory chip (Winbond 25Q64JVSIQ) that can be accessed without authentication or tamper protection. An attacker with physical access can connect a standard SPI programmer to exposed test pads or debug headers on the device's PCB and extract the full firmware and sensitive configuration data such as APN credentials, backend server information, and network parameters in plaintext. [1]
How can this vulnerability impact me? :
This vulnerability poses a high confidentiality risk because an attacker can obtain the full firmware and sensitive configuration data in plaintext. It also risks integrity compromise if the attacker modifies the firmware offline and reflashes the device. However, there is no direct impact on device availability. Operators may face exposure of sensitive network credentials and backend information, potentially leading to unauthorized access or manipulation of the device and associated systems. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by physically inspecting the Meitrack T366G-L GPS Tracker device for exposed SPI flash chip (Winbond 25Q64JVSIQ) and accessible debug/test pads on the PCB. Detection involves disassembling the device to access the PCB and identifying the SPI flash chip and debug pads. Using a standard SPI programmer (e.g., CH341A) connected to the SPI interface lines (VCC, GND, CS, CLK, MOSI, MISO), you can dump the firmware with the flashrom tool. A typical command to dump the firmware is: flashrom -p ch341a_spi -r firmware.bin [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting physical access to the device, using tamper-evident seals to detect unauthorized access, rotating backend credentials if device integrity is suspected, and segmenting the network with IP allow-lists and multi-factor authentication on management endpoints. Since the vulnerability requires physical access, preventing unauthorized physical access is critical. [1]