Researchers have identified two vulnerabilities in SinoTrack GPS devices, which could potentially allow attackers to control certain functions on connected vehicles remotely and track their locations.
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), a recent advisory states that successful exploitation of these vulnerabilities could grant unauthorized access to device profiles through the web management interface.
This unauthorized access may enable an attacker to perform various remote functions on connected vehicles, such as tracking the vehicle’s location and disconnecting power to the fuel pump, if supported.
The vulnerabilities, as reported by the agency, affect all versions of the SinoTrack IoT PC Platform. The details of the vulnerabilities are as follows:
- CVE-2025-5484 (CVSS score: 8.3) – The central SinoTrack device management interface has weak authentication due to the use of a default password and a username that is an identifier printed on the receiver.
- CVE-2025-5485 (CVSS score: 8.6) – The username used for authentication to the web management interface is a numerical value with a maximum of 10 digits.
An attacker could obtain device identifiers through physical access or by capturing identifiers from publicly available pictures of the devices on websites like eBay. The attacker could also enumerate potential targets by incrementing or decrementing from known identifiers or through random digit sequences.
Security researcher Raúl Ignacio Cruz Jiménez, who discovered the vulnerabilities and reported them to CISA, stated, “Due to the lack of security in this device, it allows remote execution and control of the connected vehicles and also steals sensitive information about you and your vehicles.”
Currently, there are no available fixes for these vulnerabilities. The Hacker News has reached out to SinoTrack for a comment and will update the story if a response is received.
In the absence of a patch, users are advised to change the default password immediately and take steps to conceal the identifier. CISA recommends, “If the sticker is visible on publicly accessible photographs, consider deleting or replacing the pictures to protect the identifier.”
