Login Sign Up

CVE-2022-34150

7.1 HIGH
Authentication Bypass

📋 TL;DR

The MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object reference vulnerability that allows authenticated users to access or manipulate data from arbitrary device IDs without proper authorization checks. This affects organizations using MiCODUS MV720 GPS trackers for fleet management or asset tracking. Attackers with valid credentials can exploit this to view or control unauthorized devices.

💻 Affected Systems

Products:
  • MiCODUS MV720 GPS Tracker
Versions: All versions prior to patching
Operating Systems: Embedded firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web server component of the GPS tracker that is typically exposed for remote management.

📦 What is this software?

Mv720 Firmware by Micodus

View all CVEs affecting Mv720 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with authenticated access could take control of all GPS trackers in the fleet, enabling location tracking, device manipulation, or disabling of security features across the entire deployment.

🟠

Likely Case

Unauthorized access to location data and device information from other vehicles/assets in the fleet, potentially leading to privacy violations, operational disruption, or reconnaissance for physical attacks.

🟢

If Mitigated

Limited to authorized device access only, with proper access controls preventing cross-device data exposure.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires authenticated access but exploitation is straightforward once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check with MiCODUS for specific firmware version

Vendor Advisory: https://www.cisa.gov/uscert/ics/advisories/icsa-22-200-01

Restart Required: Yes

Instructions:

1. Contact MiCODUS for updated firmware. 2. Backup current configuration. 3. Apply firmware update via web interface. 4. Restart device. 5. Verify functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate GPS tracker management interface from untrusted networks

Access Control Restrictions

all

Implement strict network access controls to limit who can reach the web interface

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate GPS trackers from untrusted networks
  • Enforce strong authentication policies and monitor for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Test authenticated access to endpoint with different device IDs to see if unauthorized access is possible

Check Version:

Check firmware version via web interface or device management console

Verify Fix Applied:

After patching, attempt to access unauthorized device IDs and verify access is denied

📡 Detection & Monitoring

Log Indicators:

  • Multiple device ID access attempts from single user
  • Access to device IDs outside normal operational range

Network Indicators:

  • Unusual patterns of requests to device ID endpoints
  • Access from unauthorized IP addresses

SIEM Query:

source="gps-tracker" AND (device_id NOT IN authorized_list) AND action="access"

📊 Metadata

CVE ID: CVE-2022-34150
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CWE: CWE-639
Published: July 20, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-34150, you might also want to check these:

CVE-2025-40805 10.0

This critical vulnerability allows unauthenticated remote attackers to bypass authentication on spec...

Same vulnerability type (CWE-639)
CVE-2024-45032 10.0

This critical vulnerability allows unauthenticated remote attackers to impersonate legitimate device...

Same vulnerability type (CWE-639)
CVE-2025-0987 9.9

CVE-2025-0987 is an authorization bypass vulnerability in CB Project Ltd. Co. CVLand software that a...

Same vulnerability type (CWE-639)