NAVTOR NavBox

MEDIUM

CVSS 6.3

Date 2026-06-04T06:00:00+00:00

Source cisa-csaf

Published by CISA

// Description

Successful exploitation of this vulnerability could allow a local attacker to gain unauthorized access to SOAP methods, resulting in a disruption of operations.

// Vulnerabilities (1)

CVE ID	CVSS Score	Severity	Description
CVE-2026-21404	6.3	medium	NAVTOR NavBox through version 4.16.1.20 contains hard-coded credentials within its Windows Communication Foundation (SOAP) implementation. If the SOAP functionality is enabled, a local attacker can extract credentials to bypass the intended transfer workflow. Successful authentication against the SOAP interface grants access to privileged WCF methods, enabling an attacker to write or overwrite files within application-defined paths.

// Remediations (1)

Patch: NAVTOR has released a patch for NavBox in April 2026. Version 4.17.2.6 and later includes the fix.

NAVTOR has released a patch for NavBox in April 2026. Version 4.17.2.6 and later includes the fix. Users that have an active NavBox connection will automatically be kept up to date with the latest version. No user action required.

NAVTOR NavBox

// Description

// Vulnerabilities (1)

// Remediations (1)

// References