cbcvebase.
CVE-2024-24809
published 2024-04-10

CVE-2024-24809: Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type…

PriorityP268high8.5CVSS 3.1
AVNACLPRLUINSCCNIHAL
EXPLOIT
EPSS
54.41%
98.9th percentile
Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix `device.` under any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Version 6.0 contains a patch for the issue.

Affected

1 ranges
VendorProductVersion rangeFixed in
traccartraccar< 6.06.0

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /api/users HTTP/1.1
urlPOST /api/session HTTP/1.1
urlPOST /api/devices HTTP/1.1
urlPOST /api/devices/{{value}}/image HTTP/1.1
path/../../../../../opt/traccar/modern
  • Detect path traversal in the uniqueId field of PUT /api/devices requests — look for sequences like '../' traversing to sensitive directories such as /opt/traccar/modern.
  • Monitor POST requests to /api/devices/{id}/image with non-standard or spoofed Content-Type headers (e.g., image/srHtgGrc) as an indicator of malicious file upload attempts.
  • Alert on uploaded files matching the pattern device.* appearing outside of expected image directories, especially in web-accessible paths like /opt/traccar/modern.
  • On Red Hat-based Linux systems, monitor for new cron job files created by the Traccar process (typically running as root), as the Metasploit module exploits RCE by dropping a cronjob payload.
  • Flag rapid sequential API calls: POST /api/users → POST /api/session → POST /api/devices → POST /api/devices/{id}/image → PUT /api/devices/{id} from the same source IP, which matches the exploit chain flow.
  • Self-registration abuse: monitor POST /api/users for bulk account creation followed immediately by device creation and image upload, indicating automated exploitation.
  • ·The vulnerability is exploitable only when Traccar's default self-registration is enabled. Disabling registration eliminates the unauthenticated attack surface (though authenticated users can still exploit it).
  • ·Traccar runs as root by default, meaning successful exploitation results in full system compromise rather than limited user-level access.
  • ·The Metasploit RCE module (combining CVE-2024-24809 and CVE-2024-31214) is confirmed to work on Red Hat-based Linux systems; behavior on other distributions may differ.
  • ·CVE-2024-24809 (path traversal) is chained with CVE-2024-31214 (unrestricted file upload) to achieve RCE; the path traversal alone does not execute code.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.