Pierluigi Paganini June 12, 2025

Two vulnerabilities in SinoTrack GPS devices can allow remote vehicle control and location tracking by attackers, US CISA warns.

U.S. CISA warns of two vulnerabilities in SinoTrack GPS devices that remote attackers can exploit to access a vehicle’s device profile without permission. The researchers warn that potential exploitation could allow attackers to track its location or even cut power to the fuel pump, depending on the model.

“Successful exploitation of these vulnerabilities could allow an attacker to access device profiles without authorization through the common web management interface.” reads the advisory published by CISA. “Access to the device profile may allow an attacker to perform some remote functions on connected vehicles such as tracking the vehicle location and disconnecting power to the fuel pump where supported.”

Below is a brief description of the vulnerabilities:

• CVE-2025-5484 (CVSS score: 8.3) – SinoTrack devices use a default password that’s the same for all units, and changing it isn’t required during setup. Since the username is just the device ID printed on the label, someone could easily gain access by either physically seeing the device or spotting it in online photos, like on eBay. This makes it surprisingly easy for attackers to break in.
• CVE-2025-5485 (CVSS score: 8.6) – SinoTrack devices use a default password that’s the same for all units, and changing it isn’t required during setup. Since the username is just the device ID printed on the label, someone could easily gain access by either physically seeing the device or spotting it in online photos, like on eBay. This makes it surprisingly easy for attackers to break in.

CISA urges users to change default passwords, hide device IDs, and assess risks before taking action. Since SinoTrack didn’t respond to CISA, users should check with the vendor directly. CISA also recommends following cybersecurity best practices, avoiding phishing links, and reporting any suspicious activity. No known public exploitation of the vulnerabilities has been reported so far.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SinoTrack GPS)