CyberSecurity news
FlagThis
Pierluigi Paganini@Security Affairs
//
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding two critical vulnerabilities discovered in SinoTrack GPS devices. These flaws could allow malicious actors to remotely control vehicles and track their locations. The vulnerabilities affect all known SinoTrack devices and the SinoTrack IOT PC Platform. This alert follows the disclosure of these security weaknesses by independent researcher Raúl Ignacio Cruz Jiménez.
The identified vulnerabilities include a weak authentication flaw (CVE-2025-5484) and an observable response discrepancy (CVE-2025-5485). The weak authentication stems from the use of a default password across all devices and the use of the device identifier as the username. The identifier, which is printed on the receiver, is easily accessible, either through physical access to the device or through images posted online. The observable response discrepancy arises from the numerical structure of usernames, which are up to 10 digits long. This enables attackers to guess valid usernames by trying different number sequences.
Successful exploitation of these vulnerabilities could grant attackers unauthorized access to device profiles through the web management interface. This access could then be used to perform remote functions on connected vehicles, such as tracking the vehicle's location and, in some cases, disconnecting power to the fuel pump. With a CVSS v4 score of 8.8, CVE-2025-5485 is considered highly severe. While there are currently no official fixes available, CISA advises users to change the default password immediately and to conceal the device identifier, particularly in publicly accessible photographs. SinoTrack has not yet responded to CISA’s request.
ImgSrc: securityaffairs
References :
The identified vulnerabilities include a weak authentication flaw (CVE-2025-5484) and an observable response discrepancy (CVE-2025-5485). The weak authentication stems from the use of a default password across all devices and the use of the device identifier as the username. The identifier, which is printed on the receiver, is easily accessible, either through physical access to the device or through images posted online. The observable response discrepancy arises from the numerical structure of usernames, which are up to 10 digits long. This enables attackers to guess valid usernames by trying different number sequences.
Successful exploitation of these vulnerabilities could grant attackers unauthorized access to device profiles through the web management interface. This access could then be used to perform remote functions on connected vehicles, such as tracking the vehicle's location and, in some cases, disconnecting power to the fuel pump. With a CVSS v4 score of 8.8, CVE-2025-5485 is considered highly severe. While there are currently no official fixes available, CISA advises users to change the default password immediately and to conceal the device identifier, particularly in publicly accessible photographs. SinoTrack has not yet responded to CISA’s request.
ImgSrc: securityaffairs
Share:
References :
- hackread.com: The US CISA reports critical vulnerabilities in SinoTrack GPS devices that could let attackers remotely control vehicles and track locations. Discover the vulnerabilities and essential steps to secure your device.
- securityaffairs.com: Two vulnerabilities in SinoTrack GPS devices can allow remote vehicle control and location tracking by attackers, US CISA warns.
- The Hacker News: Two security vulnerabilities have been disclosed in SinoTrack GPS devices that could be exploited to control certain remote functions on connected vehicles and even track their locations.
- ciso2ciso.com: CISA Warns of Remote Control Flaws in SinoTrack GPS Trackers – Source:hackread.com
- thecyberexpress.com: US CISA reports critical vulnerabilities in SinoTrack GPS devices that could let attackers remotely control vehicles and track locations
- www.helpnetsecurity.com: SinoTrack GPS vulnerabilities may allow attackers to track, control vehicles
Classification:
- HashTags: #GPS #VehicleSecurity #IoT
- Company: SinoTrack
- Target: Vehicles
- Product: SinoTrack GPS
- Feature: Weak Authentication
- Type: IoT
- Severity: Critical