Severity by source
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (hq) · only source for this CVE.
CVSS VectorVendor: hq
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
NAVTOR NavBox through version 4.16.1.20 contains hard-coded credentials within its Windows Communication Foundation (SOAP) implementation. If the SOAP functionality is enabled, a local attacker can extract credentials to bypass the intended transfer workflow. Successful authentication against the SOAP interface grants access to privileged WCF methods, enabling an attacker to write or overwrite files within application-defined paths.
AnalysisAI
Hard-coded credentials embedded in NAVTOR NavBox's Windows Communication Foundation (SOAP) implementation allow a local low-privileged attacker to extract static credentials and authenticate against privileged WCF methods, enabling arbitrary file write or overwrite within application-defined paths. All NavBox versions through 4.16.1.20 are affected when the SOAP interface is enabled. CISA ICS-CERT has issued advisory ICSA-26-155-01 for this OT/maritime navigation product; no public exploit has been identified at time of analysis, though the ICS context elevates operational safety concern.
Technical ContextAI
NAVTOR NavBox relies on Windows Communication Foundation (WCF), Microsoft's SOAP-based messaging framework, for its data transfer workflows - flagged by the 'Microsoft' tag in the advisory metadata. CWE-798 (Use of Hard-coded Credentials) describes a design flaw where fixed authentication tokens are baked into the application binary or configuration at build time, rather than being dynamically provisioned. An attacker can recover these credentials through binary reverse engineering, file inspection, or memory analysis without exploiting any memory-safety bug. Once recovered, the credentials authenticate against the WCF SOAP interface, which exposes privileged methods gated by those same static tokens. The resulting capability - writing or overwriting files within application-defined paths - is a high-impact primitive in a maritime navigation system, where integrity of navigation databases, route files, or configuration data directly affects operational safety. No CPE string was provided in the available data; affected scope is defined by the vendor advisory.
RemediationAI
Consult CISA ICS advisory ICSA-26-155-01 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-155-01 for vendor-confirmed patch details; a specific fixed version number is not available in the provided intelligence data and should not be assumed. As an immediate compensating control, disable the SOAP/WCF functionality on NavBox if it is not operationally required - this eliminates the attack surface entirely, though it may disrupt integrations relying on the SOAP-based transfer workflow, which should be evaluated before disabling. If SOAP must remain enabled, restrict local system access to NavBox devices to only trusted, role-appropriate personnel, reducing the pool of potential credential extractors. Implement file integrity monitoring on application-defined paths to detect unauthorized writes as a detection layer pending patch deployment. Given the ICS context, coordinate any changes with operational technology (OT) change management processes to avoid unintended navigation service disruption.
More in Navbox Firmware
View allNavtor NavBox exposes an unauthenticated path traversal vulnerability in its HTTP service that allows remote attackers t
Navtor NavBox devices allow unauthenticated remote attackers to retrieve sensitive operational data including ECDIS info
The /api/ais-data endpoint in Navtor NavBox leaks sensitive information through unhandled exception error messages, allo
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34321
GHSA-x454-wfv6-72h8