CISA Warns of Remote Control Flaws in SinoTrack GPS Trackers

Owners of SinoTrack GPS devices should be aware of significant security weaknesses that could allow unauthorized individuals to track vehicles or even cut off their fuel remotely. These vulnerabilities, affecting all known SinoTrack devices and the SinoTrack IOT PC Platform, were recently brought to light by independent researcher Raúl Ignacio Cruz Jiménez. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding these issues.

Two main problems have been identified. The first, labelled CVE-2025-5484, is a weak authentication flaw, which means that logging into the device’s management system is too easy. Every device uses its unique identifier, which is printed on the receiver as the username.

What’s more concerning is that the default password is widely known and is the same for all devices. Users are not forced to change this password when setting up their devices, making it simple for an attacker to guess. An attacker could find device identifiers by physically looking at a device or by finding pictures of devices online, for example, on websites like eBay.

The second issue, CVE-2025-5485, is an observable response discrepancy. This flaw relates to how usernames are structured; they are numerical identifiers, up to 10 digits long. This makes it possible for malicious actors to guess valid usernames by simply trying different number sequences, either by counting up or down from known identifiers, or by trying random numbers.

If successful, an attacker could gain control over connected vehicles, potentially tracking their whereabouts or even cutting power to the fuel pump where supported.

These vulnerabilities are considered highly severe, with one of the flaws, CVE-2025-5485, earning a CVSS v4 score of 8.8. As of now, CISA has not received reports of these specific vulnerabilities being actively exploited in public attacks.

SinoTrack has not yet responded to CISA’s requests for information or provided fixes for these problems. Therefore, users are strongly advised to take immediate action to protect their devices. The most crucial step is to change the default password to a strong, unique one through the management interface available at sinotrack.com.

Additionally, it is important to hide the device identifier. If the sticker with the identifier is visible in any public photos, it’s recommended to remove or replace those pictures to prevent attackers from finding this information.

CISA also recommends general cybersecurity practices, like being careful about clicking links in suspicious emails, to avoid further risks. More detailed guidance on securing control systems is available on CISA’s website.