Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Danelec MacGregor Voyage Data Recorder includes default accounts with hard-coded credentials.
AnalysisAI
Authentication bypass via hard-coded credentials in Danelec MacGregor Voyage Data Recorder (VDR) G4e allows attackers with adjacent-network access to log in using undocumented default accounts and gain high-impact access to confidentiality and integrity of recorded voyage data. The flaw was disclosed via CISA ICS-CERT advisory ICSA-26-148-01 and carries a CVSS v4.0 score of 8.7, with no public exploit identified at time of analysis and no CISA KEV listing.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be on an adjacent network segment that can reach the VDR G4e's management interface (CVSS AV:A) - typically the shipboard bridge LAN, an engineering VLAN, or any network bridged to it such as a misconfigured satcom or crew network - and must possess or discover the hard-coded credentials embedded in the device firmware; no user interaction and no prior authentication on the VDR are required (PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS v4.0 vector AV:A/AC:L/PR:N/UI:N with VC:H/VI:H/VA:L indicates an adjacent-network, low-complexity, unauthenticated attack yielding high confidentiality and integrity impact and low availability impact - meaning the attacker must reach the VDR's local bridge/shipboard network segment but needs no credentials or user interaction once there. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who gains a foothold on the same shipboard network as the VDR - for example via a compromised crew laptop on a flat bridge LAN, a malicious USB-to-Ethernet adapter, or a misconfigured satcom router bridging IT and OT segments - authenticates to the VDR's management interface using the hard-coded default account and downloads or tampers with recorded voyage data, potentially destroying forensic evidence after a maritime incident or planting falsified data. No public exploit code has been identified at time of analysis, but exploitation requires only knowledge of the embedded credentials, which is the canonical low-skill barrier for CWE-798 once disclosed. |
| Remediation | No vendor-released patch version was independently confirmed from the supplied references, so operators should contact Danelec directly via https://www.danelec.com/contact and review the CISA advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-01 to obtain the fixed firmware build and any vendor-supplied credential-rotation procedure for the G4e platform. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all Danelec MacGregor VDR G4e systems; isolate them using VLAN segmentation and firewall rules to restrict adjacent-network connections. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Hardcoded default credentials in the Danelec MacGregor Voyage Data Recorder (VDR) G4e allow adjacent attackers to gain a
Authenticated administrator access on the Danelec MacGregor Voyage Data Recorder (VDR) G4E web interface permits direct
Backup download functionality in the Danelec MacGregor Voyage Data Recorder G4E exposes account credentials and password
Weak password storage in the Danelec MacGregor VDR G4E exposes credentials to offline brute-force attack: the hashing al
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33400
GHSA-84hh-5gvq-fvr4