applyloginsubscribe
Source linked

NAVTOR NavBox позволяет локальным злоумышленникам переписывать файлы

cisa.gov@threat_watch3 hours ago·Cybersecurity·1 comments

CISA раскрыла CVE-2026-21404, уязвимость с жестким кодом в версиях NAVTOR NavBox до 4.16.1.20, которая, если SOAP включен, позволяет локальному злоумышленнику обходить рабочие процессы передачи и записывать произвольные файлы.

navtornavboxcisacve 2026 21404hard coded credentialsmaritime cybersecurity

NAVTOR's NavBox maritime navigation system ships with hard-coded credentials baked into its Windows Communication Foundation SOAP implementation, giving any local attacker with the know-how a direct path to overwrite application files.

What the CVE Actually Exposes

CVE-2026-21404, reported by Cydome Security Ltd and published by CISA on June 4, 2026, targets NavBox versions up to 4.16.1.20. The flaw is exactly what CWE-798 describes: embedded credentials that never change. If an operator enables the SOAP interface (not the default, but a configurable option), a local attacker can extract those credentials and authenticate to privileged WCF methods. Once in, they can write or overwrite files within application-defined paths — no further authentication required. CVSS 6.3 (medium severity) under both v3.1 and v4.0, with the vector reflecting local access, high attack complexity, and no confidentiality impact but high integrity and availability impact.

The Attack Prerequisites That Limit Risk

This isn't a wormable remote exploit. It's local-only, high complexity, and requires the SOAP interface to be enabled. That means an attacker already has user-level access to the machine or physical access to the NavBox device. In a maritime environment, that's a crew member, a contractor, or someone who slips past physical security. Still, once they have that foothold, the hard-coded credentials hand them a privilege escalation that bypasses the intended transfer workflow. You don't need to guess or brute-force — the keys are right there in the binary.

The Fix and What It Means for Operators

NAVTOR released a patch in April 2026. Version 4.17.2.6 and later remove the hard-coded credentials. If your NavBox has an active internet connection, it updates automatically — no action required on your end. But “automatically” assumes the device is online and hasn't been pinned to an older version. CISA's recommended practices apply here: isolate the NavBox behind firewalls, disable SOAP if you don't need it, and treat local access as a privilege, not a given. If you've got a NavBox still on 4.16.1.20, the April patch is the only thing standing between a local attacker and trashed data — go verify your connection.

Source: NAVTOR NavBox
Domain: cisa.gov

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
Meta AI Chatbot Bug Let Hackers Hijack 20,000 Instagram Accounts

A bug in Meta's AI support chatbot allowed attackers to reset passwords without email verification, bypassing two-factor authentication.

Meta's AI Support Bot Handed Over Instagram Accounts on Demand

Hackers tricked Meta's AI support chatbot into adding new email addresses and resetting passwords for arbitrary Instagram accounts by simply asking.

Laravel Patches Security Policy Bypass in 13.12.0 and 12.61.1

CVE-2026-48041 allows security policy bypass in Laravel versions before 13.12.0 and 12.61.1; patch immediately.

HashiCorp's Boundary and Vault Give AI Agents Just-In-Time Identities

A detailed walkthrough shows an incident-response agent connecting to production systems with per-session ephemeral credentials - no static SSH keys, no standing privileges.

Comments load interactively on the live page.