CVE-2022-2107

2022-07-2016:15:08

CWE-798

icscert

web.nvd.nist.gov

2371

micodus

mv720

gps tracker

api server

authentication mechanism

hard-coded master password

sms commands

security vulnerability

cve-2022-2107

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.002

Percentile

57.0%

JSON

The MiCODUS MV720 GPS tracker API server has an authentication mechanism that allows devices to use a hard-coded master password. This may allow an attacker to send SMS commands directly to the GPS tracker as if they were coming from the GPS owner’s mobile number.

Affected configurations

Nvd

Node

micodusmv720Match-

AND

micodusmv720_firmwareMatch-

VendorProductVersionCPE
micodusmv720-cpe:2.3:h:micodus:mv720:-:*:*:*:*:*:*:*
micodusmv720_firmware-cpe:2.3:o:micodus:mv720_firmware:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
micodus	mv720	-	cpe:2.3:h:micodus:mv720:-:::::::*
micodus	mv720_firmware	-	cpe:2.3:o:micodus:mv720_firmware:-:::::::*

CNA Affected

[
  {
    "product": "MV720",
    "vendor": "MiCODUS",
    "versions": [
      {
        "status": "affected",
        "version": "All versions"
      }
    ]
  }
]