CalAmp LMU 3030 series OBD-II CDMA and GSM devices has an SMS (text message) interface that can be deployed where no password is configured for this interface by the integrator / reseller
Description
CalAmp LMU 3030 series OBD-II CDMA and GSM devices has an SMS (text message) interface that can be deployed where no password is configured for this interface by the integrator / reseller. This interface must be password protected, otherwise, the attacker only needs to know the phone number of the device (via an IMSI Catcher, for example) to send administrative commands to the device. These commands can be used to provide ongoing, real-time access to the device and can configure parameters such as IP addresses, firewall rules, and passwords.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CalAmp LMU 3030 series OBD-II devices have an unauthenticated SMS interface allowing remote attackers to send administrative commands.
Vulnerability
The CalAmp LMU 3030 series OBD-II devices (both CDMA and GSM versions) include an SMS interface that can be deployed without a password by the integrator/reseller. This missing authentication (CWE-306) allows any SMS sender to access administrative functions. Affected versions include all firmware versions where the SMS password is not configured.
Exploitation
An attacker only needs to know the device's phone number, which can be obtained via an IMSI Catcher or other means. With that number, the attacker can send SMS messages containing administrative commands to the device. No authentication is required if the password is not set.
Impact
Successful exploitation provides ongoing, real-time access to the device. The attacker can configure parameters such as IP addresses, firewall rules, and passwords. Additionally, older firmware versions could be remotely updated with malicious code that could affect the vehicle's CAN bus, potentially impacting vehicle control.
Mitigation
The SMS interface should be password-protected or disabled. Vendors known to be affected have been contacted and have password-protected or disabled the SMS interface. Users should update to the latest firmware from CalAmp for defense in depth. The CERT/CC note recommends configuring an SMS password and updating firmware [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- CalAmp/LMU 3030 OBD-IIv5Range: CDMA
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- www.kb.cert.org/vuls/id/251927mitrethird-party-advisoryx_refsource_CERT-VN
- www.securityfocus.com/bid/98964mitrevdb-entryx_refsource_BID
News mentions
0No linked articles in our index yet.