Two security vulnerabilities have been disclosed in SinoTrack GPS devices that could be exploited to control certain remote functions on connected vehicles and even track their locations.
“Successful exploitation of these vulnerabilities could allow an attacker to access device profiles without authorization through the common web management interface,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory.
“Access to the device profile may allow an attacker to perform some remote functions on connected vehicles such as tracking the vehicle location and disconnecting power to the fuel pump where supported.”
The vulnerabilities, per the agency, affect all versions of the SinoTrack IoT PC Platform. A brief description of the flaws is below –
- CVE-2025-5484 (CVSS score: 8.3) – Weak authentication to the central SinoTrack device management interface stems from the use of a default password and a username that’s an identifier printed on the receiver.
- CVE-2025-5485 (CVSS score: 8.6) – The username used to authenticate to the web management interface, i.e., the identifier, is a numerical value of no more than 10 digits.
An attacker could retrieve device identifiers with either physical access or by capturing identifiers from pictures of the devices posted on publicly accessible websites such as eBay. Furthermore, the adversary could enumerate potential targets by incrementing or decrementing from known identifiers or through enumerating random digit sequences.
“Due to its lack of security, this device allows remote execution and control of the vehicles to which it is connected and also steals sensitive information about you and your vehicles,” security researcher Raúl Ignacio Cruz Jiménez, who reported the flaws to CISA, told The Hacker News in a statement.
There are currently no fixes that address the vulnerabilities. The Hacker News has reached out to SinoTrack for comment, and we will update the story if we hear back.
In the absence of a patch, users are advised to change the default password as soon as possible and take steps to conceal the identifier. “If the sticker is visible on publicly accessible photographs, consider deleting or replacing the pictures to protect the identifier,” CISA said.
