Researchers from Cydome have disclosed three vulnerabilities affecting NAVTOR NavBox version 4.12.0.3, a maritime connectivity device widely used on vessels to manage chart updates, navigation data distribution, and ship-shore communications. The flaws could allow remote attackers to access sensitive operational information or internal files from onboard systems if the device is exposed to an untrusted network.
The most severe issues, tracked as CVE-2026-2752 and CVE-2026-2753, carry CVSS scores of 7.5 and stem from missing authentication controls and an absolute path traversal flaw in the device’s HTTP service.
According to the advisory, unauthenticated attackers could query internal API endpoints to retrieve unencrypted JSON data containing environmental information, configuration parameters, operational telemetry, and service status details, potentially exposing elements of the vessel’s maritime OT (operational technology) environment. In the case of the path traversal vulnerability, crafted HTTP requests could bypass directory restrictions and allow attackers to read arbitrary files from the host operating system, including sensitive configuration files.
A third vulnerability, CVE-2026-2754, enables information disclosure through verbose stack traces generated by unhandled exceptions. By triggering errors in specific endpoints, a remote attacker could obtain internal application details such as class names, method calls, and references to third-party libraries, potentially aiding reconnaissance or further exploitation attempts.
“Attackers can gain unauthorized access to sensitive vessel operations data, for example: unencrypted real-time telemetry data, network information, information about other devices connected to the same network (e.g., identify the ECDIS IP address) and more,” Cydome said in its post. “In addition, the vulnerabilities may allow unauthorized access to the device’s file system, which could be used for further exploitation.”
The post noted that the vulnerabilities affect NavBox version 4.12.0.3 and earlier builds, while patched versions were released in later software updates beginning with version 4.16.2.4. Maritime operators and fleet managers are advised to update affected systems and restrict access to exposed API endpoints to reduce the risk of unauthorized access to onboard navigation and operational networks.
Cydome said that “the research was responsibly shared with NAVTOR, who confirmed the findings and that the issue was fixed in NavBox before public disclosure. As part of the process, NAVTOR also reported that all relevant customers were informed.”
“Shipping companies are currently facing a significant gap,” Nir Ayalon, CEO of Cydome, said in a media statement. “While their fleets become more connected with LEO broadband service, their OT devices are more exposed than ever to cyber threats. Cydome’s mission is to promote the safety of the industry and sea travel, and as part of that, we identified and responsibly released the NavBox vulnerabilities to help shipping companies prevent the risk before it’s exploited by malicious actors.”
“At NAVTOR, we are committed to maintaining the highest standards of product security, and welcome good‑faith security research and coordinated vulnerability disclosure,” said Tyr Steffensen, cybersecurity officer at NAVTOR. “Following Cydome’s responsible report, we verified the three findings and confirmed they impacted legacy NavBox v4.12.0.3.”
Steffensen said the issues have been remediated. CVE-2026-2753 was addressed in NavBox v4.14.1.2 and later, released in late 2024. CVE-2026-2752 and CVE-2026-2754 were addressed in NavBox v4.16.2.4 and later, released last November.
“Affected customers have been contacted individually. Customers with an active, online NavBox have been patched since late 2024 for CVE‑2026‑2753 and since November 2025 for CVE‑2026‑2752 and CVE‑2026‑2754,” according to Steffensen. “Customers can rest assured that all NavBoxes with an active online connection are automatically kept up to date with the latest version. We thank Cydome for identifying these vulnerabilities and for the responsible disclosure.”
Earlier this month, a Cydome report highlighted a sharp rise in OT and maritime cyber incidents, reporting that ransomware attacks targeting the sector increased by 150 percent in 2025. Spoofing of GPS systems surged dramatically, with 1,000 reported incidents affecting around 40,000 vessels per day. Attacks targeting edge devices, including routers, VPNs, and firewalls, grew by 800%, reflecting a widening threat landscape for connected maritime infrastructure. The report said that 50,000 new vulnerabilities were published in 2025, with 52 classified as ‘high’ or ‘critical,’ while 87% of organizations view AI-related vulnerabilities as the fastest-growing cyber risk of 2025.
