CISA Flags Hard-Coded Credentials in NAVTOR NavBox ICS Software
CISA has issued an advisory for a critical vulnerability in NAVTOR NavBox software, stemming from hard-coded credentials that could allow local attackers to manipulate files and disrupt operations.
CISA has identified a critical vulnerability, CVE-2026-21404, affecting NAVTOR NavBox software versions prior to 4.17.2.6. The vulnerability arises from the presence of hard-coded credentials within the Windows Communication Foundation (WCF) SOAP implementation of the software. This flaw could enable a local attacker to extract these credentials, bypass intended workflows, and gain unauthorized access to privileged SOAP methods.
Successful exploitation of this vulnerability grants an attacker the ability to write or overwrite files within application-defined paths. This capability poses a significant risk, as it could lead to the disruption of critical operations within industrial control systems (ICS) environments where NAVTOR NavBox is deployed. The software is used in the Information Technology sector and is deployed worldwide, with the company headquartered in Norway.
The vulnerability has a CVSS v3.1 base score of 6.3 (MEDIUM) and a CVSS v4.0 score of 5.8 (MEDIUM). While the attack vector is local, the complexity is noted as high, and it requires the SOAP functionality to be enabled for exploitation. The CVSS v3.1 metrics indicate a low attack complexity, low privileges required, no user interaction needed, and a high impact on confidentiality, integrity, and availability.
NAVTOR has addressed this vulnerability by releasing a patch in April 2026. Version 4.17.2.6 and later versions of NavBox contain the fix. For users with active NavBox connections, the software will be automatically updated to the latest version, meaning no user action is required to remediate this specific issue.
CISA recommends that organizations take standard defensive measures to minimize the risk of exploitation. These include minimizing network exposure for all control system devices, ensuring they are not accessible from the internet, and locating control system networks behind firewalls and isolating them from business networks. When remote access is necessary, more secure methods like VPNs should be employed, with the understanding that VPNs themselves require up-to-date versions and secure connected devices.
While no public exploitation targeting this specific vulnerability has been reported to CISA at this time, the advisory serves as a crucial alert for organizations utilizing NAVTOR NavBox. The vulnerability is not remotely exploitable, but its local nature combined with the potential for file manipulation underscores the importance of robust access controls and regular security patching.
CISA also reminds organizations to perform thorough impact analyses and risk assessments before deploying any defensive measures. Best practices for control systems security, including defense-in-depth strategies and targeted cyber intrusion detection, are available on CISA's ICS webpage. Organizations observing suspicious activity should follow internal procedures and report findings to CISA.
This advisory was reported to CISA by Cydome Security Ltd. The vulnerability, CWE-798 (Use of Hard-coded Credentials), highlights a common security weakness that can have severe consequences in operational technology environments, where system availability and integrity are paramount.