Cyber Resilience

CVE-2025-68930

HighPublic PoC

Published: 23 February 2026

Published
23 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
EPSS Score 0.0011 29.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-68930 is a high-severity Missing Origin Validation in WebSockets (CWE-1385) vulnerability in Traccar Traccar. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 29.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-23 (Session Authenticity).

Deeper analysis

CVE-2025-68930 is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability, classified under CWE-1385, affecting versions of the Traccar open-source GPS tracking system up to and including 6.11.1. The issue resides in the `/api/socket` endpoint, where the application does not validate the `Origin` header during the WebSocket handshake. This flaw enables attackers to circumvent the Same Origin Policy (SOP), allowing unauthorized establishment of a full-duplex WebSocket connection.

A remote attacker can exploit this vulnerability without privileges (PR:N) over the network (AV:N) with low complexity (AC:L), though it requires user interaction (UI:R). By tricking a legitimate user into visiting a malicious webpage—such as through a phishing link—the attacker can leverage the user's existing session credentials (JSESSIONID) to hijack the WebSocket connection. Successful exploitation grants high confidentiality impact (C:H) and low integrity impact (I:L), with no availability impact (A:N) and unchanged scope (S:U), as scored at CVSS 7.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N). This could enable real-time data exfiltration or injection of commands on behalf of the victim user.

The GitHub Security Advisory (GHSA-69x6-wcx2-vghp) at the project's repository details the vulnerability but notes that, as of publication on 2026-02-23, it is unclear whether a fix is available. Security practitioners should monitor the Traccar repository for patches and consider implementing custom Origin header validation or WebSocket origin checks as interim mitigations.

EU & UK References

Vulnerability details

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in the `/api/socket` endpoint. The application fails to validate the `Origin` header during the WebSocket handshake. This allows a remote…

more

attacker to bypass the Same Origin Policy (SOP) and establish a full-duplex WebSocket connection using a legitimate user's credentials (JSESSIONID). As of time of publication, it is unclear whether a fix is available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
T1041 Exfiltration Over C2 Channel Exfiltration
Adversaries may steal data by exfiltrating it over an existing command and control channel.
Why these techniques?

CSWSH enables phishing-delivered browser session hijacking (via unvalidated Origin + JSESSIONID cookie) for WebSocket-based exfiltration and command actions.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25648Same product: Traccar Traccar
CVE-2026-25649Same product: Traccar Traccar
CVE-2026-34403Shared CWE-1385
CVE-2024-48849Shared CWE-1385
CVE-2025-24964Shared CWE-1385
CVE-2026-44211Shared CWE-1385
CVE-2026-35589Shared CWE-1385

Affected Assets

traccar
traccar
≤ 6.11.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires the /api/socket endpoint to enforce that only requests bearing a valid Origin header matching an authorized domain may complete the WebSocket handshake and inherit the JSESSIONID session.

prevent

Mandates mechanisms that protect session authenticity, preventing an attacker-controlled origin from establishing an authenticated full-duplex channel using a victim’s credentials.

prevent

Requires validation of the Origin header value supplied during the WebSocket upgrade request, blocking cross-origin handshake attempts before the session is bound.

References