PatchSiren cyber security CVE debrief
CVE-2026-2754 Navtor CVE debrief
CVE-2026-2754 is a HIGH-severity vulnerability in Navtor NavBox, a navigation system used in maritime applications. The vulnerability has a CVSS score of 7.5 and was published on March 6, 2026. The issue arises from missing authentication on HTTP API endpoints, allowing unauthenticated remote attackers with network access to the device to execute HTTP GET requests to TCP port 8080. This can lead to the retrieval of internal network parameters, including ECDIS & OT Information, device identifiers, and service status logs.
- Vendor
- Navtor
- Product
- NavBox
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-06
- Original CVE updated
- 2026-06-05
- Advisory published
- 2026-03-06
- Advisory updated
- 2026-06-05
Who should care
Organizations using Navtor NavBox, particularly in maritime industries, should be aware of this vulnerability. The lack of authentication on HTTP API endpoints poses a significant risk, as attackers can exploit this to gain sensitive information about the device and its network.
Technical summary
The vulnerability is caused by the absence of authentication mechanisms for HTTP API endpoints in Navtor NavBox. Specifically, an unauthenticated remote attacker can send HTTP GET requests to TCP port 8080 to retrieve sensitive data. The affected versions are NavBox firmware versions up to 4.16.2.4, with the specific vulnerable version being 4.12.0.3.
Defensive priority
High
Recommended defensive actions
- Apply patches or updates provided by the vendor to enable authentication for HTTP API endpoints.
- Restrict access to TCP port 8080 to only trusted networks or systems.
- Monitor NavBox systems for any suspicious activity, especially unauthorized access attempts.
Evidence notes
The CVE record and NVD details confirm the vulnerability's existence and provide technical specifics. Additional information can be found in the vendor's advisory and third-party vulnerability reports (see resource links).
Official resources
-
CVE-2026-2754 CVE record
CVE.org
-
CVE-2026-2754 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
56a186b1-7f5e-4314-ba38-38d5499fccfd - Third Party Advisory
-
Mitigation or vendor reference
56a186b1-7f5e-4314-ba38-38d5499fccfd - Vendor Advisory
CVE-2026-2754 was published on 2026-03-06T15:16:11.320Z and modified on 2026-06-05T16:39:37.413Z.