SinoTrack GPS Devices Exposed: Default Passwords Allow Remote Vehicle Control

June 11, 2025
IoT Security / Vulnerability

Recent security vulnerabilities in SinoTrack GPS devices could enable unauthorized remote control of specific functions in connected vehicles, including location tracking. According to an advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), “Successful exploitation of these vulnerabilities could allow an attacker to access device profiles without authorization through the common web management interface.” This access may enable attackers to execute functions such as tracking vehicle location and, where applicable, disconnecting the fuel pump.

The vulnerabilities impact all versions of the SinoTrack IoT PC Platform. Below is a brief overview of the identified flaws:

  • CVE-2025-5484 (CVSS score: 8.3) – Weak authentication in the central SinoTrack device management interface due to the reliance on a default password and a username that serves as an identifier.

SinoTrack GPS Devices Expose Vulnerabilities for Remote Vehicle Control

On June 11, 2025, significant security vulnerabilities were identified in SinoTrack GPS devices, which could be leveraged by attackers to manipulate certain remote functions of connected vehicles and monitor their locations. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory warning about these risks, emphasizing that unauthorized access to the device profiles via a widely used web management interface could enable nefarious actors to perform actions such as tracking a vehicle’s location and, in some instances, disabling power to the fuel pump.

The vulnerabilities reportedly affect all iterations of the SinoTrack IoT PC Platform, creating a broad scope of risk for users of these devices. CISA’s advisory highlighted two specific flaws, notably CVE-2025-5484, which has been assigned a CVSS score of 8.3, indicating a critical level of severity. This particular vulnerability arises from inadequate authentication measures within the central management interface of SinoTrack devices, primarily due to the reliance on default usernames and passwords.

Attackers exploiting these vulnerabilities would likely employ tactics consistent with those outlined in the MITRE ATT&CK framework. Initial access could be gained through unsecured management credentials, allowing attackers to escalate privileges and gain unauthorized control over critical functionalities of the vehicle systems. The weaknesses present in these devices exemplify a broader issue within the IoT landscape, where default security settings continue to provide easy points of entry for cybercriminals.

The implications of these vulnerabilities extend beyond mere inconvenience; they pose substantial risks to vehicle owners and, by extension, public safety. Vehicle brands that utilize SinoTrack’s technology for tracking and management services may find themselves vulnerable to attacks that could culminate in unauthorized access to sensitive operational functions.

As a precaution, business owners utilizing SinoTrack’s GPS technology are strongly advised to modify default system settings immediately and implement stricter security protocols. Ensuring robust password policies and regular system updates could mitigate the risks associated with these vulnerabilities.

In conclusion, the vulnerabilities identified within SinoTrack GPS devices highlight the critical need for vigilance in cybersecurity practices, particularly in the rapidly evolving IoT sector. Maintaining updated security measures is not just a best practice but an essential component of protecting business operations and ensuring consumer safety in an increasingly interconnected environment.

Source link

Related Posts

China-Linked Cyber Espionage Group Targets Over 70 Organizations Across Diverse Sectors

June 9, 2025
Government Security / Cyber Espionage

Recent reconnaissance efforts against American cybersecurity firm SentinelOne are part of a larger wave of intrusions affecting various targets between July 2024 and March 2025. “The victims include a South Asian government agency, a European media outlet, and over 70 organizations spanning numerous sectors,” noted SentinelOne security researchers Aleksandar Milenkoski and Tom Hegel in a recent report. Affected sectors include manufacturing, government, finance, telecommunications, and research. Notably, an IT services and logistics firm was compromised while managing equipment logistics for SentinelOne staff during the breach in early 2025. This malicious activity has been confidently linked to threat actors associated with China, with some attacks attributed to a cluster known as PurpleHaze, which overlaps with recognized Chinese cyber espionage groups labeled APT15.

CISA Includes Erlang SSH and Roundcube Vulnerabilities in Known Exploited Threats Catalog

On June 10, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two significant security vulnerabilities affecting Erlang/Open Telecom Platform (OTP) SSH and Roundcube to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. The identified vulnerabilities are:

  • CVE-2025-32433 (CVSS score: 10.0): A critical missing authentication flaw in the Erlang/OTP SSH server that could enable an attacker to execute arbitrary commands without proper credentials, potentially leading to unauthenticated remote code execution. (Patched in April 2025 in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20)

  • CVE-2024-42009 (CVSS score: 9.3): A cross-site scripting (XSS) vulnerability in RoundCube Webmail that may allow a remote attacker to compromise a victim’s email account by exploiting a desanitization flaw in program/actions/mail/show.php. (Fixed in August 2024 in versions 1.6…)

Researcher Uncovers Vulnerability Exposing Phone Numbers Linked to Google Accounts

Jun 10, 2025
Vulnerability / API Security

Google has acted to resolve a security flaw that could allow malicious actors to brute-force recovery phone numbers associated with Google accounts, potentially compromising user privacy and security. Singaporean security researcher “brutecat” identified that the vulnerability exploited a weakness in the company’s account recovery feature. The issue involved a now-obsolete version of the Google username recovery form (“accounts.google[.]com/signin/usernamerecovery”) that lacked sufficient anti-abuse measures to limit excessive requests. This page allows users to check if a recovery email or phone number is linked to a specific display name (e.g., “John Smith”). By bypassing the CAPTCHA rate limits, attackers could rapidly test various permutations of a Google account’s phone number, leading to possible exploitation.

Title: Over 20 Configuration Vulnerabilities Discovered in Salesforce Industry Cloud, Including Five CVEs

Date: June 10, 2025
Category: Vulnerability / SaaS Security

Cybersecurity experts have identified more than 20 configuration vulnerabilities within Salesforce Industry Cloud (formerly known as Salesforce Industries), potentially exposing sensitive data to unauthorized users. These vulnerabilities impact key components such as FlexCards, Data Mappers, Integration Procedures (IProcs), Data Packs, OmniOut, and OmniScript Saved Sessions. “While low-code platforms like Salesforce Industry Cloud simplify application development, neglecting security measures can lead to significant risks,” said Aaron Costello, Chief of SaaS Security Research at AppOmni, in a statement to The Hacker News. If not mitigated, these misconfigurations may enable cybercriminals and unauthorized individuals to access encrypted sensitive information about employees and customers, session data reflecting user interactions with Salesforce Industry Cloud, credentials for Salesforce and other corporate systems, and critical business logic. Following a responsible disclosure process, more information is anticipated.