Skip to main content

Navbox Firmware CVE-2026-2754

HIGH
Missing Authentication for Critical Function (CWE-306)
2026-03-06 56a186b1-7f5e-4314-ba38-38d5499fccfd
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 06, 2026 - 15:16 nvd
HIGH 7.5

DescriptionCVE.org

Navtor NavBox exposes sensitive configuration and operational data due to missing authentication on HTTP API endpoints. An unauthenticated remote attacker with network access to the device can execute HTTP GET requests to TCP port 8080 to retrieve internal network parameters including ECDIS & OT Information, device identifiers, and service status logs.

AnalysisAI

Navtor NavBox devices allow unauthenticated remote attackers to retrieve sensitive operational data including ECDIS information, device identifiers, and service logs by sending HTTP requests to the unprotected API on port 8080. An attacker with network access can obtain this configuration and system information without any credentials, potentially facilitating further attacks against maritime navigation systems. No patch is currently available for this vulnerability.

Technical ContextAI

Classified as CWE-306 (Missing Authentication for Critical Function). Navtor NavBox exposes sensitive configuration and operational data due to missing authentication on HTTP API endpoints. An unauthenticated remote attacker with network access to the device can execute HTTP GET requests to TCP port 8080 to retrieve internal network parameters including ECDIS & OT Information, device identifiers, and service status logs.

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Share

CVE-2026-2754 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy