Skip to main content

NAVTOR NavBox CVE-2026-21404

| EUVDEUVD-2026-34321 MEDIUM
Use of Hard-coded Credentials (CWE-798)
2026-06-04 ics-cert@hq.dhs.gov GHSA-x454-wfv6-72h8
5.8
CVSS 4.0 · Vendor: hq
Share

Severity by source

Vendor (hq) PRIMARY
5.8 MEDIUM
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (hq) · only source for this CVE.

CVSS VectorVendor: hq

CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 04, 2026 - 20:34 vuln.today
CVE Published
Jun 04, 2026 - 20:16 nvd
MEDIUM 5.8

DescriptionCVE.org

NAVTOR NavBox through version 4.16.1.20 contains hard-coded credentials within its Windows Communication Foundation (SOAP) implementation. If the SOAP functionality is enabled, a local attacker can extract credentials to bypass the intended transfer workflow. Successful authentication against the SOAP interface grants access to privileged WCF methods, enabling an attacker to write or overwrite files within application-defined paths.

AnalysisAI

Hard-coded credentials embedded in NAVTOR NavBox's Windows Communication Foundation (SOAP) implementation allow a local low-privileged attacker to extract static credentials and authenticate against privileged WCF methods, enabling arbitrary file write or overwrite within application-defined paths. All NavBox versions through 4.16.1.20 are affected when the SOAP interface is enabled. CISA ICS-CERT has issued advisory ICSA-26-155-01 for this OT/maritime navigation product; no public exploit has been identified at time of analysis, though the ICS context elevates operational safety concern.

Technical ContextAI

NAVTOR NavBox relies on Windows Communication Foundation (WCF), Microsoft's SOAP-based messaging framework, for its data transfer workflows - flagged by the 'Microsoft' tag in the advisory metadata. CWE-798 (Use of Hard-coded Credentials) describes a design flaw where fixed authentication tokens are baked into the application binary or configuration at build time, rather than being dynamically provisioned. An attacker can recover these credentials through binary reverse engineering, file inspection, or memory analysis without exploiting any memory-safety bug. Once recovered, the credentials authenticate against the WCF SOAP interface, which exposes privileged methods gated by those same static tokens. The resulting capability - writing or overwriting files within application-defined paths - is a high-impact primitive in a maritime navigation system, where integrity of navigation databases, route files, or configuration data directly affects operational safety. No CPE string was provided in the available data; affected scope is defined by the vendor advisory.

RemediationAI

Consult CISA ICS advisory ICSA-26-155-01 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-155-01 for vendor-confirmed patch details; a specific fixed version number is not available in the provided intelligence data and should not be assumed. As an immediate compensating control, disable the SOAP/WCF functionality on NavBox if it is not operationally required - this eliminates the attack surface entirely, though it may disrupt integrations relying on the SOAP-based transfer workflow, which should be evaluated before disabling. If SOAP must remain enabled, restrict local system access to NavBox devices to only trusted, role-appropriate personnel, reducing the pool of potential credential extractors. Implement file integrity monitoring on application-defined paths to detect unauthorized writes as a detection layer pending patch deployment. Given the ICS context, coordinate any changes with operational technology (OT) change management processes to avoid unintended navigation service disruption.

Share

CVE-2026-21404 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy