CVE-2024-24809

HIGH NUCLEI

Traccar - Unrestricted File Upload

Title source: nuclei
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2024-24809. PoCs published by gh-ost00, Michael Heinzl, yiliufeng168, Naveen Sunkavally, Michael Heinzl, Zach Hanley, Enrique Castillo, Brian Hysell, including Metasploit module exploits/linux/http/traccar_rce_upload. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2024-24809, an authentication bypass and path traversal vulnerability in Traccar GPS tracking system. The exploit demonstrates user registration, login, device creation, and file upload with path traversal to achieve arbitrary file write.

Description

Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix `device.` under any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Version 6.0 contains a patch for the issue.

Exploits (3)

nomisec WORKING POC 5 stars
by gh-ost00 · poc
https://github.com/gh-ost00/CVE-2024-24809-Proof-of-concept

This repository contains a functional exploit for CVE-2024-24809, an authentication bypass and path traversal vulnerability in Traccar GPS tracking system. The exploit demonstrates user registration, login, device creation, and file upload with path traversal to achieve arbitrary file write.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Traccar < 6.0
No auth needed
Prerequisites: Network access to Traccar instance · Default registration enabled
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Michael Heinzl, yiliufeng168, Naveen Sunkavally · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/traccar_rce_upload.rb

This Metasploit module exploits CVE-2024-24809 and CVE-2024-31214 in Traccar v5.1-v5.12 by combining path traversal and unrestricted file upload to achieve remote code execution via cronjob manipulation.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Traccar v5.1-v5.12
Auth required
Prerequisites: self-registration enabled · network access to Traccar API
devstral-2 · analyzed Apr 23, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Michael Heinzl, Zach Hanley, Enrique Castillo, Brian Hysell · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/paloalto_expedition_rce.rb

This Metasploit module exploits CVE-2024-5910 (admin password reset) and CVE-2024-9464 (authenticated OS command injection) in Palo Alto Expedition to achieve remote code execution. It includes authentication handling, CSRF token retrieval, and command execution via cron job manipulation.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Palo Alto Expedition <= 1.2.91
Auth required
Prerequisites: network access to target · default or reset admin credentials
devstral-2 · analyzed Apr 23, 2026 Full analysis →

Nuclei Templates (1)

Traccar - Unrestricted File Upload
HIGHVERIFIEDby DhiyaneshDK
Shodan: html:"Traccar"

References (2)

Core 2

Scores

CVSS v3 8.5
EPSS 0.8937
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-27 CWE-434
Status published
Products (1)
traccar/traccar < 6.0
Published Apr 10, 2024
Tracked Since Feb 18, 2026