Owners of SinoTrack GPS devices are being warned about significant security vulnerabilities that could allow unauthorized access and control over their vehicles. An alert from the US Cybersecurity and Infrastructure Security Agency (CISA) identified these flaws, as reported by independent researcher Raúl Ignacio Cruz Jiménez. The vulnerabilities, affecting all known SinoTrack devices, raise serious concerns regarding user safety and privacy.
The vulnerabilities stem from two main issues. The first, labeled CVE-2025-5484, is a weak authentication flaw. Each SinoTrack device uses its unique identifier as the username, which can be easily discovered. Coupled with a default password that remains the same across all devices, users are at risk of having their systems compromised, as attackers can easily guess login credentials.
The second issue, identified as CVE-2025-5485, is a flaw characterized by observable response discrepancies. This issue allows malicious actors to potentially exploit the numerical username structure by guessing valid usernames through simple numerical sequences. If they succeed, attackers could gain control over the vehicle’s GPS tracking capabilities or even disable fuel pumps remotely.
Despite the reported severity of these vulnerabilities, with a CVSS v4 score of 8.8 for CVE-2025-5485, CISA has indicated that no public attacks exploiting these weaknesses have been reported yet. SinoTrack has not responded to CISA’s inquiries for further information or to provide any fixes. Users are advised to take immediate steps to secure their devices, including changing default passwords and hiding device identifiers in public images. More information on recommended cybersecurity practices can be found on CISA’s website and in their guidance on securing control systems.