Navbox Firmware
CVE-2026-2754
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Navtor NavBox exposes sensitive configuration and operational data due to missing authentication on HTTP API endpoints. An unauthenticated remote attacker with network access to the device can execute HTTP GET requests to TCP port 8080 to retrieve internal network parameters including ECDIS & OT Information, device identifiers, and service status logs.
AnalysisAI
Navtor NavBox devices allow unauthenticated remote attackers to retrieve sensitive operational data including ECDIS information, device identifiers, and service logs by sending HTTP requests to the unprotected API on port 8080. An attacker with network access can obtain this configuration and system information without any credentials, potentially facilitating further attacks against maritime navigation systems. No patch is currently available for this vulnerability.
Technical ContextAI
Classified as CWE-306 (Missing Authentication for Critical Function). Navtor NavBox exposes sensitive configuration and operational data due to missing authentication on HTTP API endpoints. An unauthenticated remote attacker with network access to the device can execute HTTP GET requests to TCP port 8080 to retrieve internal network parameters including ECDIS & OT Information, device identifiers, and service status logs.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
More in Navbox Firmware
View allHard-coded credentials embedded in NAVTOR NavBox's Windows Communication Foundation (SOAP) implementation allow a local
Navtor NavBox exposes an unauthenticated path traversal vulnerability in its HTTP service that allows remote attackers t
The /api/ais-data endpoint in Navtor NavBox leaks sensitive information through unhandled exception error messages, allo
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today