CVE-2022-2107 – The MiCODUS MV720 GPS tracker API server uses a... (How to Fix)

Q: What is the severity of CVE-2022-2107?

CVE-2022-2107 has a CVSS score of 9.8 (CRITICAL). The MiCODUS MV720 GPS tracker API server uses a hard-coded master password in its authentication mechanism, allowing attackers to send SMS commands to GPS trackers as if they were the legitimate owner. This affects all users of MiCODUS MV720 GPS trackers with vulnerable firmware versions.

📋 TL;DR

The MiCODUS MV720 GPS tracker API server uses a hard-coded master password in its authentication mechanism, allowing attackers to send SMS commands to GPS trackers as if they were the legitimate owner. This affects all users of MiCODUS MV720 GPS trackers with vulnerable firmware versions.

💻 Affected Systems

Products:

MiCODUS MV720 GPS Tracker

Versions: All firmware versions prior to patched versions

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices using the vulnerable API server implementation are affected regardless of configuration.

📦 What is this software?

Mv720 Firmware by Micodus

View all CVEs affecting Mv720 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could remotely disable vehicle tracking, cut fuel supply, geofence vehicles, or track individuals without consent, potentially enabling theft, kidnapping, or surveillance.

🟠

Likely Case

Unauthorized tracking of vehicles/assets, disabling of GPS functionality, or sending false location data to owners.

🟢

If Mitigated

Limited impact if devices are behind firewalls with restricted SMS command access and network segmentation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires knowledge of the hard-coded password and ability to send SMS commands to the device.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Contact vendor for latest firmware

Vendor Advisory: https://www.cisa.gov/uscert/ics/advisories/icsa-22-200-01

Restart Required: Yes

Instructions:

1. Contact MiCODUS for updated firmware. 2. Download firmware update. 3. Apply update to GPS tracker via manufacturer's instructions. 4. Verify update applied successfully.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate GPS trackers on separate network segments with restricted inbound/outbound access

SMS Command Restriction

all

Configure mobile carriers to restrict SMS commands to authorized numbers only

🧯 If You Can't Patch

Disconnect affected GPS trackers from networks immediately
Replace vulnerable devices with alternative GPS tracking solutions

🔍 How to Verify

Check if Vulnerable:

Check if device responds to SMS commands using the hard-coded password '123456' or other default credentials

Check Version:

Contact manufacturer for firmware version checking procedure

Verify Fix Applied:

Test if SMS commands with default passwords no longer work after firmware update

📡 Detection & Monitoring

Log Indicators:

Unexpected SMS command patterns
Authentication attempts with default credentials
GPS tracking anomalies

Network Indicators:

SMS traffic to GPS devices from unauthorized sources
API calls using hard-coded credentials

SIEM Query:

sms_command: * AND (password:123456 OR auth:default) OR device_type:MiCODUS MV720 AND anomaly_score > threshold

📊 Metadata

CVE ID: CVE-2022-2107

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: July 20, 2022

Last Updated: November 21, 2024

🔗 References

https://www.cisa.gov/uscert/ics/advisories/icsa-22-200-01 Third Party Advisory,US Government Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-22-200-01 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-2107, you might also want to check these: