Two security vulnerabilities have been disclosed in the open-source Traccar GPS tracking system, which could be exploited by unauthenticated attackers to achieve remote code execution under certain conditions.
Both vulnerabilities are path traversal flaws and can be weaponized if guest registration is enabled, the default configuration in Traccar version 5, as stated by Horizon3.ai researcher Naveen Sunkavally.
CVE-2024-24809 (CVSS score: 8.5) - This vulnerability involves path traversal using the format 'dir/../../filename' and allows unrestricted uploads of files with dangerous types.
CVE-2024-31214 (CVSS score: 9.7) - This is an unrestricted file upload vulnerability in the device image upload feature, which could lead to remote code execution.
According to Sunkavally, "The net result of CVE-2024-31214 and CVE-2024-24809 is that an attacker can place files with arbitrary content anywhere on the file system. However, an attacker only has partial control over the filename."
The vulnerabilities stem from how Traccar handles device image file uploads, allowing attackers to overwrite specific files on the file system and execute code. The file naming requirements include:
device.ext: The attacker controls the ext part, but there must be a file extension.blah": The attacker controls blah, but the filename must end with a double quote.blah1";blah2=blah3: The attacker controls blah1, blah2, and blah3, but the filename must include the sequence "; and an equals symbol.
In a hypothetical proof-of-concept (PoC) devised by Horizon3.ai, an adversary can exploit the path traversal in the Content-Type header to upload a crontab file, thereby obtaining a reverse shell on the attacker's host. However, this method is ineffective on Debian/Ubuntu-based Linux systems due to restrictions that prevent crontab files from containing periods or double quotes.
Alternatively, attackers can exploit Traccar running as a root-level user to insert a kernel module or configure a udev rule to execute arbitrary commands whenever a hardware event is detected.
On vulnerable Windows systems, remote code execution can be achieved by placing a shortcut (LNK) file named device.lnk in the C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp folder. This file executes when any user logs into the Traccar host.
Traccar versions 5.1 to 5.12 are susceptible to both CVE-2024-31214 and CVE-2024-24809. These issues have been mitigated in Traccar 6, released in April 2024, which disables self-registration by default, thus reducing the attack surface.
"If the registration setting is true, readOnly is false, and deviceReadonly is false, then an unauthenticated attacker can exploit these vulnerabilities," Sunkavally explained. "These are the default settings for Traccar 5."
August 14, 2024
August 20, 2025
October 21, 2024
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067
