CVE-2026-40425 Danelec CVE debrief

Who should care

Maritime operators, ship owners, and fleet managers utilizing Danelec MacGregor VDR systems; industrial cybersecurity teams responsible for OT/ICS environments; port authorities and classification societies auditing vessel cybersecurity compliance; system integrators deploying maritime safety equipment.

Technical summary

The Danelec MacGregor Voyage Data Recorder web interface implements insufficient access controls on sensitive system files. An administrator-level authenticated user can directly modify files containing authentication credentials, including the potential to change the root password. The vulnerability is classified under CWE-552 (Files or Directories Accessible to External Parties). Attack requires adjacent network access and high privileges, with CVSS 4.0 score of 6.9 (Medium). Confidentiality impact is rated high, while integrity and availability impacts are low. This affects maritime safety-critical systems where VDRs are mandated for vessel voyage data recording.

Defensive priority

medium

Recommended defensive actions

• Restrict administrative access to the VDR web interface to trusted network segments only
• Implement network segmentation to isolate VDR systems from untrusted networks
• Monitor file system changes to authentication-related files on VDR systems
• Apply vendor patches when available per CISA ICS-CERT guidance
• Review and enforce principle of least privilege for administrative accounts
• Contact Danelec for specific remediation guidance and patch availability

Evidence notes

Vulnerability disclosed via CISA ICS-CERT advisory ICSA-26-148-01. CVSS 4.0 vector provided by NVD. Weakness classified as CWE-552 (Files or Directories Accessible to External Parties). Vendor contact information available through Danelec official channels.

Official resources