CVE-2025-0219 · A vulnerability, which was classified as problematic, has been found in Trimble SPS851 488.01.

01 · The Real Story

This is graffiti on the control panel, not a master key to the building

CVE-2025-0219 is a stored XSS in the Trimble SPS851 web management interface, specifically the Receiver Status / Identity area where the System Name value is handled unsafely. The affected version publicly named in the CVE record is 488.01. An authenticated user can store script in that field, and the payload persists when the page is viewed again in the receiver's web UI.

The vendor's LOW rating is basically right in real-world enterprise terms. The decisive limiter is that the attacker already needs high-privilege authenticated access to a management interface on a relatively niche GNSS receiver, then still needs a browser view to fire the payload; that makes this a post-auth admin-session abuse issue with narrow exposure, not a practical initial-access path.

"This is a post-auth stored XSS on a niche device UI, not an enterprise-breaker"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Reach the receiver management UI

The attacker first needs HTTP/HTTPS access to the Trimble receiver's management plane. Trimble's own documentation shows the device exposes a web interface and a programmatic HTTP interface over TCP/IP for management operations. Weaponized tool: a standard browser, curl, or Burp Suite is sufficient; no exploit framework is required.

Conditions required:

Network path to the SPS851 management IP or hostname
Web management interface enabled and reachable
Target asset is an SPS851 in the affected firmware family

Where this breaks in practice:

These receivers are usually on field, plant, or contractor networks rather than broad internet-facing enterprise segments
Many enterprises will not even have this product in large numbers
External attack surface exposure appears niche; no reliable product-specific census counts were retrieved

Detection/coverage: Basic network scanners can find the web UI, but they do not prove this XSS. Asset inventory and OT discovery are more useful than generic vuln scans here.

STEP 02

Authenticate with privileged access

The published CVSS vector requires PR:H, which matches the practical reality: the attacker needs an authenticated account capable of editing the Identity page value. Trimble documentation also shows authenticated programmatic access when security is enabled. Weaponized tool: browser login or authenticated curl requests.

Conditions required:

Valid receiver credentials
Privileges sufficient to edit the relevant configuration field

Where this breaks in practice:

Requiring valid admin or equivalent access means this is already downstream of credential theft, shared-password abuse, or insider misuse
Modern MFA and PAM often sit in front of enterprise apps, but many embedded devices still rely on local accounts, which limits scale but not necessarily single-device abuse

Detection/coverage: Successful login events may be visible only on the device or adjacent network logs; many enterprise SIEM pipelines will have weak telemetry from this class of embedded receiver.

STEP 03

Store script in System Name

The attacker writes a payload into the System Name field on the Receiver Status / Identity page. The public disclosure explicitly describes persistent execution after refresh, which makes this a stored rather than purely reflected XSS. Weaponized tool: browser dev tools, Burp Repeater, or a crafted request.

Conditions required:

Ability to modify the System Name value
Input not sanitized or encoded server-side

Where this breaks in practice:

Impact is constrained to what the web UI exposes and what the victim browser session can do
This is not code execution on the receiver firmware itself from the published evidence

Detection/coverage: Authenticated DAST or manual testing can catch this. Most agentless network scanners will miss it unless they support logged-in web workflows and field-level payload testing.

STEP 04

Trigger in an admin browser session

The payload executes when the poisoned page is loaded by the same user or another privileged user. From there, browser-side actions can target the management session, including forced configuration changes or session theft depending on cookie handling and UI protections. Weaponized tool: in-browser JavaScript only.

Conditions required:

A privileged user opens the affected page after the payload is stored
Browser-side protections do not fully neutralize the payload's effect

Where this breaks in practice:

A human has to load the page, so this is not wormable or automatable at scale
Blast radius is typically one receiver and one admin session at a time
UI-specific actions may fail if anti-CSRF tokens, same-site cookies, or frame restrictions are present

Detection/coverage: Browser EDR rarely has visibility into embedded device admin portals. The best clues are suspicious configuration changes, anomalous admin page edits, or unexpected outbound requests from an admin browser.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No KEV listing and no credible active exploitation reporting was retrieved. CISA ADP enrichment visible via CIRCL marks exploitation as `poc`, not active campaign use.
Proof-of-concept availability	Yes, public disclosure exists. VulDB's accepted submission by Fergod includes a stored-XSS payload example (`<img/src/onerror=prompt(8)>`), and NVD states the exploit has been publicly disclosed.
EPSS	0.001 from the supplied intel — effectively floor-level exploit probability. That aligns with the narrow preconditions and niche device population.
KEV status	Not listed in CISA's Known Exploited Vulnerabilities catalog as checked against the catalog page. No federal exploitation prioritization signal here.
CVSS vector meaning	`CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N` means remote and easy once you're there, but you already need high privileges and user interaction, and the published impact is limited to integrity-only.
Affected versions	Public records consistently name Trimble SPS851 version 488.01 as affected, in the Receiver Status / Identity Tab handling of System Name.
Fixed version	No authoritative patched version was retrieved from public vendor material. Treat version `488.01` as affected; treat all non-488.01 results as unknown, not automatically fixed.
Exposure / scanning reality	No trustworthy product-specific GreyNoise/Shodan/Censys/FOFA counts were retrieved for SPS851. Practical exposure is likely niche OT/field management, not broad enterprise internet edge.
Disclosure timeline	The CVE was published on 2025-01-05. VulDB shows the original submission on 2024-12-17 and moderation acceptance on 2025-01-04.
Researcher / reporting source	The public disclosure credits Fergod in the accepted VulDB submission. NVD references VulDB as the CVE source.

04 · The Call

noisgate verdict.

Final Verdict

= UNCHANGED to LOW (2.7/10)

The single biggest down-pressure is that exploitation requires already-authenticated high-privilege access to a niche device management UI. That makes this a post-compromise admin-session abuse problem with small reachable population and limited blast radius, so LOW is the right bucket.

HIGH Exploitability gating from attacker position and required privileges

MEDIUM Impact ceiling based on public disclosure and lack of vendor fix detail

MEDIUM Exposure assessment for real enterprise population of SPS851 devices

Why this verdict

Requires privileged authenticated access — starting from the vendor's 2.4 baseline, PR:H is the dominant limiter and implies the attacker is already past initial access or is abusing an insider/admin account.
User interaction is still required — the payload has to be rendered in a browser session, which adds another real-world choke point and prevents hands-off mass exploitation.
Narrow exposure and blast radius — this targets a specialized Trimble receiver UI, not a broadly exposed enterprise service; compromise scope is usually one device and one admin workflow at a time.

Why not higher?

There is no evidence in the public record of unauthenticated compromise, device-level RCE, or widespread internet exploitation. Even a successful exploit mostly buys browser-session abuse around a single embedded management UI, which is materially less dangerous than edge-service takeover or domain-wide credential theft.

Why not lower?

This is still a stored XSS in an administrative interface, not harmless UI noise. If your environment shares local device credentials, uses jump hosts for OT administration, or lets contractors access these receivers, the issue can still enable unauthorized configuration changes or session abuse against a real operational asset.

05 · Compensating Control

What to do — in priority order.

Restrict management-plane reachability — Limit the SPS851 web UI to jump hosts, engineering workstations, or VPN-restricted admin segments only. For a LOW verdict there is no SLA (treat as backlog hygiene), but this is still the highest-value control because it cuts off the first step in the chain without waiting for a firmware answer from Trimble.
Eliminate shared device credentials — Rotate any shared local admin passwords on affected receivers and move administration behind named accounts or vault checkout where possible. For LOW, handle this in the normal backlog-hygiene cycle; it matters because PR:H means credential hygiene is the whole game here.
Inspect and sanitize System Name values — Review the System Name field on known SPS851 488.01 assets and replace anything containing script-like characters or suspicious HTML/JS with a clean hostname. For LOW, do this during the next scheduled maintenance touch because it directly removes the stored payload condition.
Force admin access through a hardened browser path — Use a dedicated admin browser profile or jump host with script logging, tight extension policy, and no general web browsing. For LOW, fold this into standard admin workstation hardening; it reduces the impact if a stored payload is ever rendered.

What doesn't work

A perimeter WAF usually does not help much here because these embedded receiver UIs are rarely fronted by one, and authenticated field changes inside the device UI often bypass generic web protections.
Blindly relying on network vuln scanners will not close the gap; most will identify the web service at best, but they will not reliably execute an authenticated stored-XSS workflow in this specific admin page.
Endpoint EDR on the receiver is not a realistic control for this class of appliance-like GNSS device.

06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation or jump host that can reach the receiver's management IP. Invoke it as ./check_trimble_sps851_cve_2025_0219.sh http://10.10.20.15 admin 'SuperSecret!'; no root is needed, but you do need valid receiver credentials because the management interface may require authentication.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_trimble_sps851_cve_2025_0219.sh
# Purpose: best-effort version check for CVE-2025-0219 on Trimble receivers.
# Logic:
#   - Query the receiver's programmatic interface for firmware version.
#   - If firmware version is exactly 488.01, report VULNERABLE.
#   - If another version is returned, report UNKNOWN because no authoritative fixed version
#     was retrieved in public sources for this CVE.
#   - If the interface is unreachable or auth fails, report UNKNOWN.
# Notes:
#   - This script does NOT exploit the XSS.
#   - It assumes you are targeting an asset already inventoried as Trimble SPS851.
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / error

set -u

BASE_URL="${1:-}"
USER="${2:-}"
PASS="${3:-}"
TIMEOUT=10

if [[ -z "$BASE_URL" || -z "$USER" || -z "$PASS" ]]; then
  echo "UNKNOWN - usage: $0 <base_url> <username> <password>"
  exit 2
fi

trim_trailing_slash() {
  local s="$1"
  s="${s%/}"
  printf '%s' "$s"
}

BASE_URL="$(trim_trailing_slash "$BASE_URL")"
FW_URL="$BASE_URL/prog/show?firmwareVersion"
SN_URL="$BASE_URL/prog/show?serialNumber"
SYS_URL="$BASE_URL/prog/show?systemname"

fetch() {
  local url="$1"
  curl -ksS --max-time "$TIMEOUT" -u "$USER:$PASS" "$url"
}

FW_RAW="$(fetch "$FW_URL" 2>/dev/null)"
RC=$?
if [[ $RC -ne 0 || -z "$FW_RAW" ]]; then
  echo "UNKNOWN - could not query firmware version from $FW_URL"
  exit 2
fi

# Basic auth / error detection
if echo "$FW_RAW" | grep -Eqi '401|403|unauthorized|forbidden|error|invalid|login'; then
  echo "UNKNOWN - authentication failed or receiver returned an error"
  exit 2
fi

# Optional extra context
SN_RAW="$(fetch "$SN_URL" 2>/dev/null || true)"
SYS_RAW="$(fetch "$SYS_URL" 2>/dev/null || true)"

# Extract first version-like token, preferring 488.01 style values.
FW_VER="$(echo "$FW_RAW" | tr '\r' '\n' | grep -Eo '[0-9]+\.[0-9]+' | head -n1)"
SERIAL="$(echo "$SN_RAW" | tr '\r' '\n' | sed -n 's/.*sn=\([^[:space:]]*\).*/\1/p' | head -n1)"
SYSNAME="$(echo "$SYS_RAW" | tr '\r' '\n' | sed -n 's/.*name=\(.*\)$/\1/p' | head -n1)"

if [[ -z "$FW_VER" ]]; then
  echo "UNKNOWN - could not parse firmware version; raw response: $FW_RAW"
  exit 2
fi

if [[ "$FW_VER" == "488.01" ]]; then
  echo "VULNERABLE - firmwareVersion=$FW_VER serial=${SERIAL:-unknown} systemName=${SYSNAME:-unknown}"
  exit 1
fi

# No public authoritative fixed version retrieved; non-488.01 is not enough to claim patched.
echo "UNKNOWN - firmwareVersion=$FW_VER serial=${SERIAL:-unknown} systemName=${SYSNAME:-unknown}; affected version is publicly documented as 488.01, but no authoritative patched version was retrieved"
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: find any Trimble SPS851 receivers running 488.01, confirm whether their web management UI is reachable beyond your intended admin segment, and put those assets into backlog hygiene rather than emergency response. For this LOW verdict there is no noisgate mitigation SLA and no noisgate remediation SLA beyond normal maintenance handling, so the practical move is to restrict UI exposure now, inspect the System Name field for stored payloads, and then schedule firmware/vendor follow-up in the next routine device maintenance cycle once Trimble or your dealer can confirm a fixed image.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.