Sinotrack GPS devices disclose two security vulnerabilities that are utilized to control specific remote features and track locations in connected vehicles.
“The successful exploitation of these vulnerabilities will allow attackers to access device profiles without permission through a common web management interface,” the US Cyber Security and Infrastructure Security Agency (CISA) said in its advisory.
“Access to device profiles may allow an attacker to perform remote functions on connected vehicles, such as tracking the location of the vehicle or disconnecting power to a supported fuel pump.”
Per-agency vulnerabilities affect all versions of the Sinotrack IoT PC platform. A brief explanation of the defect can be found below –
- CVE-2025-5484 (CVSS Score: 8.3) – Weak authentication for the central Sinotrack device management interface is due to the use of the default password and the username, the identifier printed on the receiver.
- CVE-2025-5485 (CVSS score: 8.6) – The username used to authenticate to the web management interface, i.e., an identifier, is a number of 10 or less.
An attacker can obtain the device identifier through either physical access or capture the identifier from a photo of the device posted to a public website such as eBay. Additionally, enemies can enumerate potential targets by increasing or decreasing from known identifiers, or by enumerating random numeric sequences.
“Due to lack of security, the device allows remote execution and control of connected vehicles, and can also steal sensitive information about you and your vehicle,” security researcher Raul Ignacio Cruz Zimenez issued a statement in the hacker’s news saying he had reported the defect to the CISA.
There are currently no fixes to address the vulnerability. The Hacker News reached out to Sinotrak for comment. If you’ve heard of it, I’ll update the story.
If there is no patch, it is recommended that users change their default password as quickly as possible and take steps to hide the identifier. “If the stickers are visible in publicable photos, consider removing or replacing the photos to protect the identifier,” CISA said.
