There are several HTTP verbs (request methods) such as GET and POST. TRACK is one of these verbs which tells IIS to return the full request back to the client as part of the response. HTTP TRACK verb is Microsoft’s implementation and it is similar to TRACE verb which is RFC complaint.
Security scan tools often raise a flag if HTTP TRACK and TRACE verbs are enabled in your server because attackers can try capturing client cookies by forcing web servers to return full requests.
Here is a description from a security scan tool that marked the usage of this verb as a vulnerability:
The HTTP TRACK method is normally used to return the full HTTP request back to the requesting client for proxy-debugging purposes. An attacker can create a webpage using XMLHTTP, ActiveX, or XMLDOM to cause a client to issue a TRACK request and capture the client’s cookies. This effectively results in a Cross-Site Scripting attack.
Source