Two critical security flaws have been discovered in SinoTrack GPS devices, exposing connected vehicles to potential remote control and location tracking by malicious actors.
According to an advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the vulnerabilities could allow attackers to gain unauthorized access to device profiles through the web-based management interface.
“Successful exploitation of these vulnerabilities could enable an attacker to access device profiles without authorization,” CISA stated. “This could lead to remote tracking of vehicle locations and, in some models, even disabling the fuel pump.”
All versions of the SinoTrack IoT PC Platform are impacted. The two vulnerabilities identified are:
- CVE-2025-5484 (CVSS score: 8.3) – This flaw arises from weak authentication mechanisms, specifically the use of a default password and a username based on a visible identifier printed on the device.
- CVE-2025-5485 (CVSS score: 8.6) – This issue relates to the predictable nature of the username, which is a numerical value no longer than 10 digits, making brute-force attacks more feasible.
An attacker could obtain device identifiers through physical access or even by examining photos of devices listed on public platforms like eBay. Once an identifier is known, bad actors can find additional devices by generating similar numeric sequences.
“These vulnerabilities make it possible for remote attackers to control vehicle functions and access sensitive data,” said security researcher Raúl Ignacio Cruz Jiménez, who reported the flaws to CISA.
Currently, no official patches are available to address the issues. SinoTrack has been contacted for comment, and updates will follow if a response is received.
In the meantime, users are strongly encouraged to change default passwords and take precautions to hide the device identifier. CISA advises removing or editing any publicly shared images that may reveal the sticker containing the identifier.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
