CVE-2026-40425 MEDIUM

Published: 2026-05-29 | Last Modified: 2026-06-03 | Status: Analyzed

Description

The administrator account for the Danelec MacGregor Voyage Data Recorder web interface can directly edit sensitive files related to authentication, potentially changing the root password.

CVSS Metrics

Base Score: 4.9 (MEDIUM)

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Attack Vector	NETWORK
Attack Complexity	LOW
Privileges Required	HIGH
User Interaction	NONE
Scope	UNCHANGED
Confidentiality Impact	NONE
Integrity Impact	HIGH
Availability Impact	NONE

Source: [email protected]

Type: Primary

Exploitability Score: 1.2

Impact Score: 3.6

Base Score: 6.9 (MEDIUM)

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector	ADJACENT
Attack Complexity	LOW
Attack Requirements	NONE
Privileges Required	HIGH
User Interaction	NONE
Vulnerability Confidentiality	HIGH
Vulnerability Integrity	LOW
Vulnerability Availability	LOW
Subsequent Confidentiality	NONE
Subsequent Integrity	NONE
Subsequent Availability	NONE

Source: [email protected]

Type: Secondary

Weaknesses

Source	Type	Description
[email protected]	Primary	en CWE-552

Affected Products

Vendor	Product	Version	Update	Type
macgregor	interschalt_vdr_g4e_firmware	*	<built-in method update of dict object at 0x7f764032e240>	Operating System

Affected Configurations

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:macgregor:interschalt_vdr_g4e_firmware::::::::`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:macgregor:interschalt_vdr_g4e:-:::::::*`

References

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-01.json
Source: [email protected]

Issue Tracking
https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-01
Source: [email protected]

US Government Resource Third Party Advisory
https://www.danelec.com/contact
Source: [email protected]

Product