Cyber Resilience

CVE-2025-61666

High

Published: 02 October 2025

Published
02 October 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0136 80.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-61666 is a high-severity Path Traversal (CWE-22) vulnerability in Projectblack (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, ranked in the top 19.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Traccar, an open source GPS tracking system, contains a path traversal vulnerability (CWE-22) that enables unauthenticated local file inclusion. Default installations on Windows in versions 6.1 through 6.8.1 are affected because the web override feature is enabled by default, while versions 5.8 through 6.0 are affected only when the configuration explicitly sets <entry key='web.override'>./override</entry>. The flaw resides in DefaultOverrideServlet and permits reading arbitrary files on the filesystem, including the Traccar configuration file that may contain passwords.

An unauthenticated remote attacker can supply crafted paths to the override servlet and retrieve sensitive files without authentication or user interaction. Successful exploitation yields disclosure of configuration secrets or other filesystem contents but does not permit modification or service disruption. The CVSS 4.0 score of 8.7 reflects the network-accessible, low-complexity nature of the attack.

The official advisory GHSA-hprc-rph8-fj87 and the Traccar 6.9.0 release remove the vulnerable servlet code entirely. Administrators are advised to upgrade to 6.9.0 or later; non-default installations should also verify that the web.override setting is absent or disabled. The associated EPSS score rose from a low baseline to a peak of 0.0324, indicating increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

Traccar is an open source GPS tracking system. Default installs of Traccar on Windows between versions 6.1- 6.8.1 and non default installs between versions 5.8 - 6.0 are vulnerable to unauthenticated local file inclusion attacks which can lead to leakage…

more

of passwords or any file on the file system including the Traccar configuration file. Versions 5.8 - 6.0 are only vulnerable if <entry key='web.override'>./override</entry> is set in the configuration file. Versions 6.1 - 6.8.1 are vulnerable by default as the web override is enabled by default. The vulnerable code is removed in version 6.9.0.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Projectblack
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References