CVE-2025-66398
Published: 01 January 2026
Summary
CVE-2025-66398 is a critical-severity OS Command Injection (CWE-78) vulnerability in Signalk Signal K Server. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates inputs to the `/skServer/validateBackup` endpoint to prevent crafted requests from polluting the `restoreFilePath` internal state.
Enforces access controls on the `/skServer/validateBackup` endpoint to block unauthenticated attackers from manipulating server state.
Remediates the vulnerability by applying the vendor patch in Signal K Server version 2.19.0 that fixes the state pollution issue.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated remote exploitation of a public-facing web application endpoint (/skServer/validateBackup) in Signal K Server, allowing state pollution of restoreFilePath, file overwrites (e.g., security.json, package.json), account takeover, and RCE.
NVD Description
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state (`restoreFilePath`) of the server via the `/skServer/validateBackup` endpoint. This allows the attacker…
more
to hijack the administrator's "Restore" functionality to overwrite critical server configuration files (e.g., `security.json`, `package.json`), leading to account takeover and Remote Code Execution (RCE). Version 2.19.0 patches this vulnerability.
Deeper analysisAI
CVE-2025-66398 affects Signal K Server, an application that runs on central hubs in boats, in versions prior to 2.19.0. The vulnerability enables an unauthenticated attacker to pollute the server's internal state, specifically the `restoreFilePath` variable, through the `/skServer/validateBackup` endpoint. This manipulation hijacks the administrator's "Restore" functionality, allowing overwrite of critical configuration files such as `security.json` and `package.json`. The issue is associated with CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and CWE-913 (Improper Control of Dynamically-Managed Code Resources), earning a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
An unauthenticated remote attacker can exploit this vulnerability by sending crafted requests to the `/skServer/validateBackup` endpoint, requiring subsequent user interaction from an administrator who triggers the restore process. Successful exploitation leads to account takeover by altering security configurations and remote code execution (RCE) through modifications to files like `package.json`, granting full control over the server.
The Signal K Server release notes for version 2.19.0 and the associated GitHub security advisory (GHSA-w3x5-7c4c-66p9) confirm that updating to v2.19.0 fully patches the vulnerability by addressing the state pollution in the validateBackup endpoint. Security practitioners should prioritize upgrading affected boat hub installations to mitigate risks in maritime environments.
Details
- CWE(s)