Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
The Danelec MacGregor Voyage Data Recorder
device includes a default username and password, with no enforced password change.
AnalysisAI
Hardcoded default credentials in the Danelec MacGregor Voyage Data Recorder (VDR) G4e allow adjacent attackers to gain administrative access to the maritime black-box recorder without any password change being enforced at deployment. The flaw was reported through ICS-CERT (advisory ICSA-26-148-01) and carries a CVSS 4.0 score of 8.7, reflecting high confidentiality and integrity impact over an adjacent network with no privileges or user interaction required. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to the VDR G4e management interface from the ship's adjacent onboard network (CVSS AV:A), and that the operator has not manually changed the default username/password during commissioning - which the device does not enforce. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L) indicates exploitation requires only adjacent network access with no authentication, no user interaction, and low complexity, yielding high confidentiality and integrity impact and limited availability impact - consistent with credential-based administrative access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who reaches the ship's onboard network - for example a malicious crew member, a port-side technician with maintenance LAN access, or a remote attacker who has pivoted from a compromised ECDIS, satcom router, or crew Wi-Fi - connects to the VDR's management interface and authenticates with the documented default credentials. With administrative access they can read sensitive voyage data including bridge audio, navigation logs, and radar imagery, or tamper with recorded data to destroy evidence following an incident or collision. … |
| Remediation | No vendor-released patch version is identified in the available data; remediation must therefore be operational. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Danelec MacGregor VDR G4e deployments in your environment and document network connectivity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Authentication bypass via hard-coded credentials in Danelec MacGregor Voyage Data Recorder (VDR) G4e allows attackers wi
Authenticated administrator access on the Danelec MacGregor Voyage Data Recorder (VDR) G4E web interface permits direct
Backup download functionality in the Danelec MacGregor Voyage Data Recorder G4E exposes account credentials and password
Weak password storage in the Danelec MacGregor VDR G4E exposes credentials to offline brute-force attack: the hashing al
Same weakness CWE-1392 – Use of Default Credentials
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33395
GHSA-fvxq-cq6f-h294