CVE-2026-2754 | THREATINT

Description

Navtor NavBox exposes sensitive configuration and operational data due to missing authentication on HTTP API endpoints. An unauthenticated remote attacker with network access to the device can execute HTTP GET requests to TCP port 8080 to retrieve internal network parameters including ECDIS & OT Information, device identifiers, and service status logs.

PUBLISHED Reserved 2026-02-19 | Published 2026-03-06 | Updated 2026-03-06 | Assigner MHV

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-306 Missing Authentication for Critical Function

Product status

Default status

unaffected

4.12.0.3

affected

4.16.2.4

unaffected

Credits

Cydome Security Ltd finder

References

cydome.io/...cve-2026-2754-in-navtor-navbox-version-4-12-0-3 technical-description

cve.org (CVE-2026-2754)

nvd.nist.gov (CVE-2026-2754)

Download JSON