On the GPS Sinotrack GPS devices, two safety vulnerabilities were opened that can be used to control certain remote features on connected vehicles and even track their places.
“Successful operation of these vulnerabilities can allow the attacker to access devices without permission through the overall Internet management interface,” Cybersecurity and US Infrastructure (CISA) (CISA) Agency (CISA) – Note In advisory.
“Access to the device profile can allow the attacker to perform some distant features on connected vehicles such as tracking the vehicle and shutdown on the fuel pump where it is maintained.”
The vulnerabilities according to the agency affect all versions of the PC Sinotrack IoT platform. A brief description of the disadvantages below –
- Cve-2025-5484 (CVSS Assessment: 8.3) – Simy authentication in the central interface control interface Sinotrack stems from the default password and username, which is an identifier printed on the receiver.
- Cve-2025-5485 (CVSS assessment: 8.6) – Username used for authenticity in the web management interface, that is, the ID, is a numerical value of no more than 10 digits.
The attacker can obtain devices IDs either with physical access or fixing identifiers from devices located on publicly available sites such as eBay. In addition, the opponent can list potential targets by increasing or reducing known identifiers either by listing random digital sequences.
“Due to the lack of security, this device allows the remote performance and control of the vehicles to which it is linked, as well as stealing sensitive information about you and your vehicles,” said Raul Ignasio Cruce Security Researcher Jimenes, who reported the shortcomings of CISA, said The Hacker News.
There are currently no corrections that decide vulnerabilities. The Hacker News turned to Sinotrack for comments and we will update the story when we hear back.
In the absence of a patch, the users are advised to change the default password as soon as possible and take the ID. “If the sticker is visible in the available photos, think about removing or replacing the images to protect the ID,” Cisa said.
