Vulnerabilities impacting the SinoTrack GPS tracking platform could enable malicious actors to monitor the real-time locations of vehicles and execute unauthorized actions, such as cutting power to a vehicle’s fuel pump, as noted by the Cybersecurity and Infrastructure Security Agency (CISA). A report published last week by security researcher Raúl Ignacio Cruz Jiménez highlighted the seriousness of these unresolved vulnerabilities.
The identified vulnerabilities, designated as CVE-2025-5484 and CVE-2025-5485, affect all versions of the SinoTrack IoT PC platform. This platform is pivotal for connecting GPS trackers used widely in fleet management solutions, and it provides a web and app management interface for users.
SinoTrack, based in China, claims that over 6 million GPS trackers are currently in use globally. Despite the unique identification system employed for device authentication, the vulnerabilities can be exploited because the username, which is printed on the tracker, can be accessed if the device is physically handled or seen in publicly available images, such as those on e-commerce platforms like eBay.
CISA has confirmed that attackers can exploit these vulnerabilities by either utilizing the known device identifiers or default passwords that many users neglect to change during setup. CISA has urged users to secure their devices by adopting complex, unique passwords and by minimizing the visibility of the device identifier. The agency also revealed that SinoTrack has not responded to requests for collaboration on remedying these vulnerabilities.