cbcvebase.
CVE-2025-61666
published 2025-10-02

CVE-2025-61666: Traccar is an open source GPS tracking system. Default installs of Traccar on Windows between versions 6.1- 6.8.1 and non default installs between versions 5.8…

PriorityP181high8.7CVSS 4.0
AVNACLATNPRNUINVCHVINVANSCLSILSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.20%
64.2th percentile
Traccar is an open source GPS tracking system. Default installs of Traccar on Windows between versions 6.1- 6.8.1 and non default installs between versions 5.8 - 6.0 are vulnerable to unauthenticated local file inclusion attacks which can lead to leakage of passwords or any file on the file system including the Traccar configuration file. Versions 5.8 - 6.0 are only vulnerable if ./override is set in the configuration file. Versions 6.1 - 6.8.1 are vulnerable by default as the web override is enabled by default. The vulnerable code is removed in version 6.9.0.

Affected

1 ranges
VendorProductVersion rangeFixed in
traccartraccar

Detection & IOCsextracted from sources · hover to see the quote

url/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cProgram%20Files%5ctraccar%5cconf%5ctraccar.xml
pathProgram Files\traccar\conf\traccar.xml
  • Detect LFI attempts against Traccar by matching HTTP requests containing URL-encoded backslash traversal sequences (%5c) targeting the traccar.xml configuration file path.
  • Successful exploitation returns HTTP 200 with Content-Type application/xml and body containing the strings 'database.driver', 'database.password', and 'database.user' — monitor HTTP responses for this combination.
  • Identify exposed Traccar instances via Shodan query html:"Traccar" or FOFA query app="Traccar" to scope vulnerable attack surface.
  • ·Versions 5.8–6.0 are only vulnerable if the 'web.override' option is explicitly set in the configuration file; default installs of this range are NOT affected.
  • ·Versions 6.1–6.8.1 on Windows are vulnerable by default because web override is enabled out-of-the-box; no special configuration is required for exploitation.
  • ·The vulnerability is Windows-specific for default installs (6.1–6.8.1); the path traversal payload uses Windows-style backslash encoding (%5c) and targets the Windows default install path.

CVSS provenance

nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.