CVE-2026-42951 Danelec CVE debrief

Who should care

Maritime operators, shipboard IT/OT security teams, fleet management security personnel, and organizations utilizing Danelec MacGregor VDR systems for vessel voyage data recording. This vulnerability affects operational technology environments where VDR systems are deployed for regulatory compliance and incident investigation. Organizations subject to maritime safety regulations (IMO SOLAS VDR requirements) should prioritize assessment due to potential credential exposure affecting device integrity.

Technical summary

The Danelec MacGregor Voyage Data Recorder (VDR) allows authenticated users to download device backups that contain sensitive account data and password hashes. The vulnerability is classified under CWE-522 (Insufficiently Protected Credentials). The CVSS 4.0 score of 5.9 (MEDIUM) reflects attack vector via adjacent network, high attack complexity, low privileges required, and high confidentiality impact on the vulnerable component. No integrity or availability impact is scored. The vulnerability was disclosed via CISA ICS Advisory ICSA-26-148-01 on 2026-05-29.

Defensive priority

medium

Recommended defensive actions

• Review CISA ICS Advisory ICSA-26-148-01 for vendor guidance and patch availability
• Restrict network access to VDR devices to authorized personnel only
• Monitor for unauthorized backup download attempts
• Audit existing VDR backups for exposure of credential data
• Rotate credentials for affected VDR accounts if compromise is suspected
• Contact Danelec for security updates per vendor guidance

Evidence notes

CISA ICS Advisory ICSA-26-148-01 published 2026-05-29. CVSS 4.0 vector: AV:A/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N. CWE-522 (Insufficiently Protected Credentials).

Official resources