{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2754", "assignerOrgId": "56a186b1-7f5e-4314-ba38-38d5499fccfd", "state": "PUBLISHED", "assignerShortName": "MHV", "dateReserved": "2026-02-19T14:48:29.327Z", "datePublished": "2026-03-06T15:05:20.800Z", "dateUpdated": "2026-03-10T15:48:14.180Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "56a186b1-7f5e-4314-ba38-38d5499fccfd", "shortName": "MHV", "dateUpdated": "2026-03-10T15:48:14.180Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "Information Disclosure"}]}], "affected": [{"vendor": "Navtor", "product": "NavBox", "versions": [{"status": "affected", "version": "4.12.0.3"}, {"status": "unaffected", "version": "4.16.2.4"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Navtor NavBox exposes sensitive configuration and operational data due to missing authentication on HTTP API endpoints. An unauthenticated remote attacker with network access to the device can execute HTTP GET requests to TCP port 8080 to retrieve internal network parameters including ECDIS & OT Information, device identifiers, and service status logs.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Navtor NavBox exposes sensitive configuration and operational data due to missing authentication on HTTP API endpoints. An unauthenticated remote attacker with network access to the device can execute HTTP GET requests to TCP port 8080 to retrieve internal network parameters including ECDIS &amp; OT Information, device identifiers, and service status logs.</p>"}]}], "references": [{"url": "https://cydome.io/vulnerability-advisory-cve-2026-2754-in-navtor-navbox-version-4-12-0-3", "tags": ["technical-description"]}, {"url": "https://www.navtor.com/navtor-vendor-statement", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "credits": [{"lang": "en", "value": "Cydome Security Ltd", "type": "finder"}], "source": {"discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2754", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:57:11.343071Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T21:04:31.978Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2754", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:57:11.343071Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:58:10.370Z"}}], "cna": {"source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Cydome Security Ltd"}], "impacts": [{"descriptions": [{"lang": "en", "value": "Information Disclosure"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Navtor", "product": "NavBox", "versions": [{"status": "affected", "version": "4.12.0.3"}, {"status": "unaffected", "version": "4.16.2.4"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://cydome.io/vulnerability-advisory-cve-2026-2754-in-navtor-navbox-version-4-12-0-3", "tags": ["technical-description"]}, {"url": "https://www.navtor.com/navtor-vendor-statement", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Navtor NavBox exposes sensitive configuration and operational data due to missing authentication on HTTP API endpoints. An unauthenticated remote attacker with network access to the device can execute HTTP GET requests to TCP port 8080 to retrieve internal network parameters including ECDIS & OT Information, device identifiers, and service status logs.", "supportingMedia": [{"type": "text/html", "value": "<p>Navtor NavBox exposes sensitive configuration and operational data due to missing authentication on HTTP API endpoints. An unauthenticated remote attacker with network access to the device can execute HTTP GET requests to TCP port 8080 to retrieve internal network parameters including ECDIS &amp; OT Information, device identifiers, and service status logs.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "56a186b1-7f5e-4314-ba38-38d5499fccfd", "shortName": "MHV", "dateUpdated": "2026-03-10T15:48:14.180Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2754", "state": "PUBLISHED", "dateUpdated": "2026-03-10T15:48:14.180Z", "dateReserved": "2026-02-19T14:48:29.327Z", "assignerOrgId": "56a186b1-7f5e-4314-ba38-38d5499fccfd", "datePublished": "2026-03-06T15:05:20.800Z", "assignerShortName": "MHV"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:navtor:navbox_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "57C10155-5A08-4770-B891-403CBD17BE07", "versionEndExcluding": "4.16.2.4", "versionStartIncluding": "4.12.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:navtor:navbox:-:*:*:*:*:*:*:*", "matchCriteriaId": "C140C319-E253-456F-B667-FEF0F3E4DC35", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Navtor NavBox exposes sensitive configuration and operational data due to missing authentication on HTTP API endpoints. An unauthenticated remote attacker with network access to the device can execute HTTP GET requests to TCP port 8080 to retrieve internal network parameters including ECDIS & OT Information, device identifiers, and service status logs."}, {"lang": "es", "value": "Navtor NavBox expone datos de configuraci\u00f3n y operativos sensibles debido a la falta de autenticaci\u00f3n en los puntos finales de la API HTTP. Un atacante remoto no autenticado con acceso de red al dispositivo puede ejecutar solicitudes GET HTTP al puerto TCP 8080 para recuperar par\u00e1metros de red internos, incluyendo informaci\u00f3n ECDIS y OT, identificadores de dispositivo y registros de estado del servicio."}], "id": "CVE-2026-2754", "lastModified": "2026-06-05T16:39:37.413", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "56a186b1-7f5e-4314-ba38-38d5499fccfd", "type": "Secondary"}]}, "published": "2026-03-06T15:16:11.320", "references": [{"source": "56a186b1-7f5e-4314-ba38-38d5499fccfd", "tags": ["Third Party Advisory"], "url": "https://cydome.io/vulnerability-advisory-cve-2026-2754-in-navtor-navbox-version-4-12-0-3"}, {"source": "56a186b1-7f5e-4314-ba38-38d5499fccfd", "tags": ["Vendor Advisory"], "url": "https://www.navtor.com/navtor-vendor-statement"}], "sourceIdentifier": "56a186b1-7f5e-4314-ba38-38d5499fccfd", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "56a186b1-7f5e-4314-ba38-38d5499fccfd", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4.12.0.3"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "4.16.2.4"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "NavBox", "source": "cna", "vendor": "Navtor"}, "product": "navbox", "vendor": "navtor"}], "analysis": {"en": {"generated_at": "2026-04-16T11:23:50.065271+00:00", "value": {"mitigation_remediation": ["Upgrade NavBox firmware to the latest vendor release that enforces authentication on API endpoints.", "Restrict external access to TCP port 8080 by blocking traffic at the network perimeter or using a firewall rule that allows only trusted IP ranges.", "Place the device behind a VPN or internal management network and apply access control lists so that only authorized management hosts can reach the 8080 service.", "If an immediate upgrade is not possible, implement an authentication proxy or reverse\u2011proxy that requires credentials before exposing the API."], "summary": {"action": "Patch ASAP", "impact": "Unauthorized Data Disclosure"}, "threat_synthesis": {"affected_systems": "All NavTor NavBox devices running impacted firmware are affected. No specific version is listed, so any device that has not applied the vendor\u2019s fix or upgraded firmware is vulnerable.", "description_and_impact": "The NavBox device allows unauthenticated HTTP GET requests on TCP port 8080, exposing internal network parameters, ECDIS and OT information, device identifiers, and service status logs. This missing authentication flaw (CWE\u2011306) lets a remote attacker learn detailed configuration and operational data that could be used for reconnaissance or to plan further attacks. The vulnerability is read\u2010only, so it does not grant code execution, but the sensitive data expose the device and network to significant risk.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity level for confidentiality and integrity. Although the EPSS score is below 1% and the vulnerability is not in the CISA KEV catalog, an attacker with network access to port 8080 can exploit the flaw remotely. The likelihood remains low, but the impact of disclosed configuration makes it a priority to mitigate."}}}}, "created": "2026-03-09T10:07:30.167931+00:00", "title": "Unauthenticated HTTP API Disclosure in Navtor NavBox", "updated": "2026-04-16T11:30:15.905393+00:00", "vendors": ["navtor", "navtor$PRODUCT$navbox"]}