CVE-2026-44611 Danelec CVE debrief

Who should care

Maritime operators, shipowners, and fleet managers using Danelec MacGregor VDR systems; ICS security teams responsible for maritime safety equipment; port authorities and classification societies auditing vessel cybersecurity compliance.

Technical summary

The Danelec MacGregor Voyage Data Recorder implements password storage using a hashing method that imposes length limitations on passwords and lacks sufficient computational cost to resist brute-force attacks. The CVSS 4.0 vector (AV:A/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N) indicates attack requires adjacent network access, high attack complexity, and low privileges, with high impact to confidentiality of VDR data. The weakness is classified as CWE-916 (Use of Password Hash With Insufficient Computational Effort).

Defensive priority

medium

Recommended defensive actions

• Contact Danelec for patch availability and recommended firmware updates per vendor security advisory
• Review and strengthen password policies for VDR administrative accounts, enforcing maximum length constraints where the hashing method limits input
• Implement network segmentation to limit access to VDR management interfaces from untrusted networks
• Monitor authentication logs for anomalous access attempts to VDR systems
• Conduct security assessment of password storage implementations in other maritime safety equipment

Evidence notes

CISA ICS-CERT advisory ICSA-26-148-01 identifies CWE-916 (Use of Password Hash With Insufficient Computational Effort). CVSS 4.0 vector: AV:A/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N. Vendor contact information provided for coordinated disclosure.

Official resources