MiCODUS MV720 GPS tracker

Act Now9.8ICS-CERT ICSA-22-200-01Jul 19, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

MiCODUS MV720 GPS tracker contains hardcoded credentials (CWE-798), broken authentication (CWE-287), cross-site scripting (CWE-79), and insecure direct object reference (CWE-639) vulnerabilities. Successful exploitation allows an attacker to gain control over any MV720 GPS tracker, accessing location data, routes, issuing fuel cutoff commands, and disarming alarms or other protection features.

What this means

What could happen

An attacker could take control of any MV720 GPS tracker, accessing real-time location data, commanding fuel cutoff, and disarming alarms—affecting fleet visibility, vehicle operations, and security.

Who's at risk

Fleet operators and logistics companies using MiCODUS MV720 GPS trackers in vehicles should prioritize this. The MV720 is used for fleet tracking, route monitoring, and vehicle control; compromise affects operational visibility and vehicle availability.

How it could be exploited

An attacker with network access to the MV720 web tracking platform or mobile apps can exploit hardcoded credentials or authentication bypass flaws to gain full control of the device and its associated functions without valid user credentials.

Prerequisites

Network access to the MV720 web tracking platform or mobile app
No valid user credentials required

Remotely exploitableNo authentication requiredLow complexityHigh CVSS (9.8)Affects fleet visibility and vehicle controlHardcoded credentials present

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

MV720 GPS tracker: MV720 modelMV720See mobile apps and platform updates below

Remediation & Mitigation

0/6

Do now

0/2

HARDENINGRestrict network access to the MV720 web tracking platform and block direct Internet exposure

HARDENINGIsolate the MV720 tracking platform behind a firewall and from business networks until patched

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Android app to V2.0.32 or later from Google Play Store

HOTFIXUpdate iOS app to V2.1.1 or later from Apple App Store

HOTFIXUpdate MiCODUS web tracking platform to the latest version eliminating authentication loopholes

Long-term hardening

0/1

HARDENINGIf remote access to tracking platform is required, use a VPN connection

CVEs (5)

CVE-2022-2107 CVE-2022-2141 CVE-2022-2199 CVE-2022-34150 CVE-2022-33944

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/184a7034-8b8d-443b-bad0-3b7ad1120ff4