CVE-2022-2107 ICSA-22-200-01 MiCODUS MV720 GPS tracker Use of Hard-coded Credentials

2022-07-2015:24:35

CWE-798

icscert

www.cve.org

micodus mv720

gps tracker

api server

hard-coded

password

vulnerability

authentication

sms commands

attacker

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.8

Confidence

High

EPSS

0.002

Percentile

57.0%

JSON

The MiCODUS MV720 GPS tracker API server has an authentication mechanism that allows devices to use a hard-coded master password. This may allow an attacker to send SMS commands directly to the GPS tracker as if they were coming from the GPS owner’s mobile number.

CNA Affected

[
  {
    "product": "MV720",
    "vendor": "MiCODUS",
    "versions": [
      {
        "status": "affected",
        "version": "All versions"
      }
    ]
  }
]