Impact
Traccar Client is a mobile GPS tracking application that sends location data to a configured server. In versions 9.7.19 and earlier the app registers a custom deep‑link scheme org.traccar.client://config that accepts parameters such as server URL, device ID, accuracy, distance and interval. A single crafted link, delivered via SMS, email, a web page or any other app, can be opened by the user without any prompt or visual indication; the app silently writes the attacker’s supplied values into its persistent configuration. As a result, all subsequent telemetry is routed to the attacker‑controlled server at full precision and maximum frequency, and the change persists across device reboots and application restarts. The affected product is Traccar Client, available from the vendor traccar:traccar-client, for all releases 9.7.19 and earlier. The issue was fixed in version 9.7.20 and later. The vulnerability has a CVSS score of 9.3, indicating a high‑severity defect. The EPSS score is below 1 %, suggesting that exploitation is currently unlikely. The vulnerability is not listed in CISA’s KEV catalog. An attacker only needs the ability to send the crafted deep‑link URL to the victim; no additional privileges or special conditions are required. Because the attack requires user interaction to open the link, the likelihood of automated exploitation is limited, but the impact on confidentiality and integrity is significant due to the continuous real‑time tracking of the victim’s location.
Affected Systems
The affected product is Traccar Client, produced by traccar:traccar-client, versions 9.7.19 and earlier. The vulnerability was fixed in version 9.7.20.
Risk and Exploitability
The vulnerability is severe with a CVSS score of 9.3, but the EPSS score is below 1 %, indicating low current exploitation probability. The attack requires a victim to tap a crafted org.traccar.client://config deep‑link URL that may be sent via SMS, e‑mail or a web page; no elevated privileges are needed. If exploited, the attacker can silently overwrite the app’s persistent configuration, redirecting all GPS telemetry to an attacker‑controlled server with maximum precision and frequency, and this reconfiguration persists across restarts. The vulnerability is not listed in CISA’s KEV catalog.
OpenCVE Enrichment