CVE-2022-2107 CRITICAL

CVE-2022-2107: ICSA-22-200-01 MiCODUS MV720 GPS tracker Use of Hard-coded Credentials

Vendor Micodus
Product MV720
Weakness CWE-798 · Hardcoded credentials
Published July 20, 2022
Last update April 16, 2025

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The MiCODUS MV720 GPS tracker API server has an authentication mechanism that allows devices to use a hard-coded master password. This may allow an attacker to send SMS commands directly to the GPS tracker as if they were coming from the GPS owner’s mobile number.

Key dates

02Disclosure timeline

July 20, 2022 CVE published
April 16, 2025 Record updated