CVE-2022-2107
published 2022-07-20CVE-2022-2107: The MiCODUS MV720 GPS tracker API server has an authentication mechanism that allows devices to use a hard-coded master password. This may allow an attacker to…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.17%
63.5th percentile
The MiCODUS MV720 GPS tracker API server has an authentication mechanism that allows devices to use a hard-coded master password. This may allow an attacker to send SMS commands directly to the GPS tracker as if they were coming from the GPS owner’s mobile number.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| micodus | mv720 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor MiCODUS MV720 API server traffic for unauthenticated or anomalous SMS command submissions, particularly commands related to fuel cutoff, alarm disarming, or location/route queries, which could indicate exploitation of CVE-2022-2107. ↗
- →Alert on any MiCODUS MV720 GPS tracker API authentication attempts using credentials that do not correspond to registered user accounts, which may indicate use of the hard-coded master password. ↗
- ·No known public exploits specifically targeting CVE-2022-2107 were identified at time of advisory publication. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
MiCODUS MV720 GPS tracker (Update A)
cisa_ics·2022-07-19·CVSS 9.8
[CRITICAL] MiCODUS MV720 GPS tracker (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
MiCODUS MV720 GPS tracker (Update A)
Last RevisedSeptember 20, 2022
Alert CodeICSA-22-200-01
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: MiCODUS
- Equipment: MV720 GPS tracker
- Vulnerabilities: Use of Hard-coded Credentials, Improper Authentication, Cross-site Scripting, Authorization Bypass Through User-controlled Key
## 2. UPDATE OR REPOSTED INFORMATION
This updated advisory is a follow-up to the original advisory titled ICSA-22-200-01 MiCODUS MV720 GPS tracker that was published July 19, 2022, on the ICS webpa
GHSA
GHSA-xvm4-2pvm-hp3g: The MiCODUS MV720 GPS tracker API server has an authentication mechanism that allows devices to use a hard-coded master password
ghsa_unreviewed·2022-07-21
CVE-2022-2107 [CRITICAL] CWE-798 GHSA-xvm4-2pvm-hp3g: The MiCODUS MV720 GPS tracker API server has an authentication mechanism that allows devices to use a hard-coded master password
The MiCODUS MV720 GPS tracker API server has an authentication mechanism that allows devices to use a hard-coded master password. This may allow an attacker to send SMS commands directly to the GPS tracker as if they were coming from the GPS owner’s mobile number.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-07-20
Published