Medium severity6.3NVD Advisory· Published Jun 4, 2026

CVE-2026-21404

Description

NAVTOR NavBox through version 4.16.1.20 contains hard-coded credentials within its Windows Communication Foundation (SOAP) implementation. If the SOAP functionality is enabled, a local attacker can extract credentials to bypass the intended transfer workflow. Successful authentication against the SOAP interface grants access to privileged WCF methods, enabling an attacker to write or overwrite files within application-defined paths.

Affected products

Cisagov/Csafreferences
Navtor/NavBoxllm-fuzzy
Range: <=4.16.1.20

Patches

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-155-01.jsonnvd
www.cisa.gov/news-events/ics-advisories/icsa-26-155-01nvd

News mentions

NAVTOR NavBox
CISA ICS Advisories

cvss	0.410
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000