SinoTrack GPS vulnerabilities may allow attackers to track, control vehicles

Vulnerabilities affecting the SinoTrack GPS tracking platform may allow attackers to keep tabs on vehicles’ location and even perform actions such as disconnecting power to vehicles’ fuel pump (if the tracker can interact with a car’s system).

The warning was issued by the Cybersecurity and Infrastructure Security Agency (CISA) last week, based on a report by security researcher Raúl Ignacio Cruz Jiménez, and the vulnerabilities have yet to be patched.

The vulnerabilities (CVE-2025-5484, CVE-2025-5485)

SinoTrack is a China-based manufacturer specializing in GPS tracking devices and fleet management solutions. According to the company, over 6 million of its GPS trackers are installed in vehicles around the world.

The vulnerabilities (CVE-2025-5484, CVE-2025-5485) flagged by the researcher affect all versions of the SinoTrack IOT PC platform, which connects the GPS trackers to a web/app management interface that provides dashboards, alerts, and – depending on the tracker model – enables remote control of certain functions.

SinoTrack GPS trackers are authenticated to the platform by using the device’s unique ID – a numerical identifier consisting of up to 10 digits – and a password.

But while the username for all devices might be unique, it’s also printed on the tracker, which means that attackers can discover it if they have physical access to a device or can glean it from publicly available pictures of devices (e.g., from Ebay listings).

Attackers can also “enumerate potential targets by incrementing or decrementing from known identifiers or through enumerating random digit sequences,” CISA explained.

Add to this the fact that users are not required to change the publicly known default password when setting up the tracker, and the potential for exploitation becomes obvious.

What to do?

“SinoTrack did not respond to CISA’s request for coordination,” the agency confirmed, and urged users of the company’s trackers to change the default password to a unique, complex one as soon as possible and to hide the device identifier.

“If the sticker is visible on publicly accessible photographs, consider deleting or replacing the pictures to protect the identifier,” they added.

We’ve asked SinoTrack whether they intend to implement mitigations to close this avenue for attack, and we’ll update this article when we hear back from them.

In 2022, BitSight researchers notified China-based manufacturer MiCODUS of vulnerabilities in a specific GPS tracker model that might have allowed similar attacks, and the company pushed out fixes.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!