Skip to main content

Macgregor Voyage Data Recorder Vdr G4E

5 CVEs product

Monthly

CVE-2026-40425 MEDIUM PATCH CISA This Month

Authenticated administrator access on the Danelec MacGregor Voyage Data Recorder (VDR) G4E web interface permits direct editing of sensitive authentication files, including the ability to overwrite the root password. The CVSS vector (AV:A/AC:L/PR:H/UI:N) confirms exploitation requires both adjacent network positioning and existing high-privilege credentials, meaning this is not a remotely exploitable unauthenticated attack path. Reported by ICS-CERT under advisory ICSA-26-148-01 as a maritime OT device concern, no public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Path Traversal Macgregor Voyage Data Recorder Vdr G4E
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-42929 HIGH PATCH CISA Act Now

Authentication bypass via hard-coded credentials in Danelec MacGregor Voyage Data Recorder (VDR) G4e allows attackers with adjacent-network access to log in using undocumented default accounts and gain high-impact access to confidentiality and integrity of recorded voyage data. The flaw was disclosed via CISA ICS-CERT advisory ICSA-26-148-01 and carries a CVSS v4.0 score of 8.7, with no public exploit identified at time of analysis and no CISA KEV listing.

Authentication Bypass Macgregor Voyage Data Recorder Vdr G4E
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-44611 MEDIUM PATCH CISA This Month

Weak password storage in the Danelec MacGregor VDR G4E exposes credentials to offline brute-force attack: the hashing algorithm in use both caps maximum password length and provides insufficient computational cost, meaning recovered hashes can be cracked with modest effort. An adjacent-network attacker holding low-privilege access who obtains the stored hashes can recover plaintext credentials and authenticate with elevated privileges to this safety-critical maritime recording system. No public exploit code has been identified at time of analysis and the CVE is not listed in CISA KEV, but the vulnerability affects all known versions of the G4E and is confirmed by CISA ICS advisory ICSA-26-148-01.

Information Disclosure Macgregor Voyage Data Recorder Vdr G4E
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-42951 MEDIUM PATCH CISA This Month

Backup download functionality in the Danelec MacGregor Voyage Data Recorder G4E exposes account credentials and password hashes to any authenticated low-privileged user. An attacker with a valid low-privilege account operating on the same adjacent network segment - typically the onboard vessel LAN - can retrieve a device backup file containing credential material, enabling offline password cracking and potential privilege escalation. No public exploit identified at time of analysis, but the maritime OT context and CISA ICS advisory issuance (ICSA-26-148-01) underscore relevance to vessel operational security.

Information Disclosure Macgregor Voyage Data Recorder Vdr G4E
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-42941 HIGH PATCH CISA Act Now

Hardcoded default credentials in the Danelec MacGregor Voyage Data Recorder (VDR) G4e allow adjacent attackers to gain administrative access to the maritime black-box recorder without any password change being enforced at deployment. The flaw was reported through ICS-CERT (advisory ICSA-26-148-01) and carries a CVSS 4.0 score of 8.7, reflecting high confidentiality and integrity impact over an adjacent network with no privileges or user interaction required. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Macgregor Voyage Data Recorder Vdr G4E
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Authenticated administrator access on the Danelec MacGregor Voyage Data Recorder (VDR) G4E web interface permits direct editing of sensitive authentication files, including the ability to overwrite the root password. The CVSS vector (AV:A/AC:L/PR:H/UI:N) confirms exploitation requires both adjacent network positioning and existing high-privilege credentials, meaning this is not a remotely exploitable unauthenticated attack path. Reported by ICS-CERT under advisory ICSA-26-148-01 as a maritime OT device concern, no public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Path Traversal Macgregor Voyage Data Recorder Vdr G4E
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH Act Now

Authentication bypass via hard-coded credentials in Danelec MacGregor Voyage Data Recorder (VDR) G4e allows attackers with adjacent-network access to log in using undocumented default accounts and gain high-impact access to confidentiality and integrity of recorded voyage data. The flaw was disclosed via CISA ICS-CERT advisory ICSA-26-148-01 and carries a CVSS v4.0 score of 8.7, with no public exploit identified at time of analysis and no CISA KEV listing.

Authentication Bypass Macgregor Voyage Data Recorder Vdr G4E
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Weak password storage in the Danelec MacGregor VDR G4E exposes credentials to offline brute-force attack: the hashing algorithm in use both caps maximum password length and provides insufficient computational cost, meaning recovered hashes can be cracked with modest effort. An adjacent-network attacker holding low-privilege access who obtains the stored hashes can recover plaintext credentials and authenticate with elevated privileges to this safety-critical maritime recording system. No public exploit code has been identified at time of analysis and the CVE is not listed in CISA KEV, but the vulnerability affects all known versions of the G4E and is confirmed by CISA ICS advisory ICSA-26-148-01.

Information Disclosure Macgregor Voyage Data Recorder Vdr G4E
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Backup download functionality in the Danelec MacGregor Voyage Data Recorder G4E exposes account credentials and password hashes to any authenticated low-privileged user. An attacker with a valid low-privilege account operating on the same adjacent network segment - typically the onboard vessel LAN - can retrieve a device backup file containing credential material, enabling offline password cracking and potential privilege escalation. No public exploit identified at time of analysis, but the maritime OT context and CISA ICS advisory issuance (ICSA-26-148-01) underscore relevance to vessel operational security.

Information Disclosure Macgregor Voyage Data Recorder Vdr G4E
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH Act Now

Hardcoded default credentials in the Danelec MacGregor Voyage Data Recorder (VDR) G4e allow adjacent attackers to gain administrative access to the maritime black-box recorder without any password change being enforced at deployment. The flaw was reported through ICS-CERT (advisory ICSA-26-148-01) and carries a CVSS 4.0 score of 8.7, reflecting high confidentiality and integrity impact over an adjacent network with no privileges or user interaction required. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Macgregor Voyage Data Recorder Vdr G4E
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy