cbcvebase.
CVE-2022-2107
published 2022-07-20

CVE-2022-2107: The MiCODUS MV720 GPS tracker API server has an authentication mechanism that allows devices to use a hard-coded master password. This may allow an attacker to…

PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.17%
63.5th percentile
The MiCODUS MV720 GPS tracker API server has an authentication mechanism that allows devices to use a hard-coded master password. This may allow an attacker to send SMS commands directly to the GPS tracker as if they were coming from the GPS owner’s mobile number.

Affected

1 ranges
VendorProductVersion rangeFixed in
micodusmv720

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor MiCODUS MV720 API server traffic for unauthenticated or anomalous SMS command submissions, particularly commands related to fuel cutoff, alarm disarming, or location/route queries, which could indicate exploitation of CVE-2022-2107.
  • Alert on any MiCODUS MV720 GPS tracker API authentication attempts using credentials that do not correspond to registered user accounts, which may indicate use of the hard-coded master password.
  • ·No known public exploits specifically targeting CVE-2022-2107 were identified at time of advisory publication.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.