CISA Warns of Multiple Critical Vulnerabilities in Danelec MacGregor Voyage Data Recorder G4e
CISA has issued an advisory detailing five vulnerabilities in the Danelec MacGregor Voyage Data Recorder G4e, including default and hard-coded credentials, that could allow attackers to gain full administrator access to maritime transportation systems.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an advisory warning of multiple vulnerabilities in the Danelec MacGregor Voyage Data Recorder (VDR) G4e, a critical device used in maritime transportation systems to record voyage data. The flaws, which include default credentials, hard-coded credentials, weak password hashing, and insufficiently protected credentials, could allow an attacker to gain administrator access to the device. The advisory, published as ICSA-26-148-01, covers five CVEs: CVE-2026-42941, CVE-2026-42951, CVE-2026-44611, CVE-2026-42929, and CVE-2026-40425.
The most severe vulnerability, CVE-2026-42941, involves the use of default credentials with no enforced password change, earning a CVSS v3.1 base score of 8.3 (HIGH). An attacker with network access to the device could exploit this to gain full administrative control. Similarly, CVE-2026-42929 involves hard-coded credentials in default accounts, also rated 8.3. These two flaws alone could allow an attacker to take over the VDR without any authentication, potentially disrupting navigation logs or manipulating recorded data.
Additional vulnerabilities include CVE-2026-42951, which allows an authenticated user to download a backup containing account data and password hashes (CVSS 5.4), and CVE-2026-44611, where passwords are stored using a weak hashing method susceptible to brute-force attacks (CVSS 5.4). CVE-2026-40425 permits an administrator to directly edit sensitive authentication files, potentially changing the root password (CVSS 5.7). Combined, these flaws create a chain that could lead to full device compromise.
The affected product is the MacGregor Voyage Data Recorder (VDR) G4e running firmware versions prior to V5.250. The devices are deployed worldwide in the Transportation Systems sector, with the vendor headquartered in Denmark. Danelec, which owns MacGregor, has released firmware version V5.250 to address all five vulnerabilities. Users are strongly encouraged to update at the earliest service attendance rather than waiting for an annual performance test.
CISA recommends that organizations minimize network exposure for all control system devices, ensuring they are not accessible from the internet. Control system networks should be located behind firewalls and isolated from business networks. When remote access is required, more secure methods such as virtual private networks (VPNs) should be used. The agency also advises following recommended practices for industrial control system security.
The vulnerabilities were reported to CISA by Andrew Tierney of Pen Test Partners, a security research firm known for uncovering flaws in maritime and industrial systems. This advisory highlights the growing attention on cybersecurity in the maritime sector, where legacy devices often lack modern security features. The MacGregor VDR G4e is a critical component for voyage data recording, and a compromise could have serious implications for maritime safety and operations.
Organizations using the affected devices should contact Danelec for additional information and support. The advisory serves as a reminder that even specialized industrial equipment must be regularly patched and secured against evolving threats. With the firmware update now available, operators should prioritize deployment to mitigate the risk of exploitation.