CVE-2026-2754
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2Description
Navtor NavBox exposes sensitive configuration and operational data due to missing authentication on HTTP API endpoints. An unauthenticated remote attacker with network access to the device can execute HTTP GET requests to TCP port 8080 to retrieve internal network parameters including ECDIS & OT Information, device identifiers, and service status logs.
Analysis
Navtor NavBox devices allow unauthenticated remote attackers to retrieve sensitive operational data including ECDIS information, device identifiers, and service logs by sending HTTP requests to the unprotected API on port 8080. An attacker with network access can obtain this configuration and system information without any credentials, potentially facilitating further attacks against maritime navigation systems. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit network access logs for unauthorized API queries and identify all NavBox instances in your environment. Within 7 days: Implement network segmentation to restrict HTTP API endpoint access to authorized internal networks only, and deploy WAF rules to require authentication headers on all API requests. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today