Cydome’s security research team recently published three vulnerabilities affecting NAVTOR NavBox operational vessel data gateways running version 4.12.0.3. The vulnerabilities could allow remote attackers with network access to the device to gain unauthorized access to sensitive vessel operations data.
Responsible Disclosure
The research was responsibly shared with NAVTOR, who confirmed the findings and that the issue was fixed in NavBox before public disclosure. As part of the process, NAVTOR also reported that all relevant customers were informed.
Fixed versions:
NAVTOR statement:
“At NAVTOR, we are committed to maintaining the highest standards of product security, and welcome good‑faith security research and coordinated vulnerability disclosure. Following Cydome’s responsible report, we verified the three findings and confirmed they impacted legacy NavBox v4.12.0.3.
The issues have been remediated as follows: CVE‑2026‑2753 was remediated in NavBox v4.14.1.2 and later (released late 2024), while CVE‑2026‑2752 and CVE‑2026‑2754 were remediated in NavBox v4.16.2.4 and later (released November 2025).
Affected customers have been contacted individually. Customers with an active, online NavBox have been patched since late 2024 for CVE‑2026‑2753 and since November 2025 for CVE‑2026‑2752 and CVE‑2026‑2754. Customers can rest assured that all NavBoxes with an active online connection are automatically kept up to date with the latest version. We thank Cydome for identifying these vulnerabilities and for the responsible disclosure.”
Tyr Steffensen, Cyber Security Officer, NAVTOR.
Potential Impact
Attackers can gain unauthorized access to sensitive vessel operations data, for example: unencrypted real-time telemetry data, network information, information about other devices connected to the same network (e.g., identify the ECDIS IP address) and more. In addition, the vulnerabilities may allow unauthorized access to the device’s file system, which could be used for further exploitation.
Affected Devices
NAVTOR NavBox running software version 4.12.0.3.
Remediation
Update the NavBox software to 4.16.2.4 or later.
- CVE-2026-2752 – Missing Authentication on HTTP API Endpoints, CVSS V3: 7.5 HIGH
- CVE-2026-2753 – Absolute Path Traversal Vulnerability, CVSS V3: 7.5 HIGH
- CVE-2026-2754 – Information Disclosure Vulnerability, CVSS V3: 5.3 MEDIUM
Responsible Disclosure
The research was responsibly shared with NAVTOR, who confirmed the findings and that the issue was fixed in NavBox before public disclosure. As part of the process, NAVTOR also reported that all relevant customers were informed.
Fixed versions:
- CVE-2026-2752 Fixed in version 4.16.2.4 (November 2025) and later.
- CVE-2026-2753: Fixed in version 4.14.1.2 (December 2024) and later.
- CVE-2026-2754: Fixed in version 4.16.2.4 (November 2025) and later.
NAVTOR statement:
“At NAVTOR, we are committed to maintaining the highest standards of product security, and welcome good‑faith security research and coordinated vulnerability disclosure. Following Cydome’s responsible report, we verified the three findings and confirmed they impacted legacy NavBox v4.12.0.3.
The issues have been remediated as follows: CVE‑2026‑2753 was remediated in NavBox v4.14.1.2 and later (released late 2024), while CVE‑2026‑2752 and CVE‑2026‑2754 were remediated in NavBox v4.16.2.4 and later (released November 2025).
Affected customers have been contacted individually. Customers with an active, online NavBox have been patched since late 2024 for CVE‑2026‑2753 and since November 2025 for CVE‑2026‑2752 and CVE‑2026‑2754. Customers can rest assured that all NavBoxes with an active online connection are automatically kept up to date with the latest version. We thank Cydome for identifying these vulnerabilities and for the responsible disclosure.”
Tyr Steffensen, Cyber Security Officer, NAVTOR.
Potential Impact
Attackers can gain unauthorized access to sensitive vessel operations data, for example: unencrypted real-time telemetry data, network information, information about other devices connected to the same network (e.g., identify the ECDIS IP address) and more. In addition, the vulnerabilities may allow unauthorized access to the device’s file system, which could be used for further exploitation.
Affected Devices
NAVTOR NavBox running software version 4.12.0.3.
Remediation
Update the NavBox software to 4.16.2.4 or later.