Cyber Resilience

CVE-2025-66398

CriticalPublic PoCRCE

Published: 01 January 2026

Published
01 January 2026
Modified
06 January 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.1793 96.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-66398 is a critical-severity OS Command Injection (CWE-78) vulnerability in Signalk Signal K Server. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-66398 affects Signal K Server, an application that runs on central hubs in boats, in versions prior to 2.19.0. The vulnerability enables an unauthenticated attacker to pollute the server's internal state, specifically the `restoreFilePath` variable, through the `/skServer/validateBackup` endpoint. This manipulation hijacks the administrator's "Restore" functionality, allowing overwrite of critical configuration files such as `security.json` and `package.json`. The issue is associated with CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and CWE-913 (Improper Control of Dynamically-Managed Code Resources), earning a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

An unauthenticated remote attacker can exploit this vulnerability by sending crafted requests to the `/skServer/validateBackup` endpoint, requiring subsequent user interaction from an administrator who triggers the restore process. Successful exploitation leads to account takeover by altering security configurations and remote code execution (RCE) through modifications to files like `package.json`, granting full control over the server.

The Signal K Server release notes for version 2.19.0 and the associated GitHub security advisory (GHSA-w3x5-7c4c-66p9) confirm that updating to v2.19.0 fully patches the vulnerability by addressing the state pollution in the validateBackup endpoint. Security practitioners should prioritize upgrading affected boat hub installations to mitigate risks in maritime environments.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state (`restoreFilePath`) of the server via the `/skServer/validateBackup` endpoint. This allows the attacker…

more

to hijack the administrator's "Restore" functionality to overwrite critical server configuration files (e.g., `security.json`, `package.json`), leading to account takeover and Remote Code Execution (RCE). Version 2.19.0 patches this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability enables unauthenticated remote exploitation of a public-facing web application endpoint (/skServer/validateBackup) in Signal K Server, allowing state pollution of restoreFilePath, file overwrites (e.g., security.json, package.json), account takeover, and RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-68619Same product: Signalk Signal K Server
CVE-2026-23515Same product: Signalk Signal K Server
CVE-2026-33951Same product: Signalk Signal K Server
CVE-2026-33950Same product: Signalk Signal K Server
CVE-2025-68620Same product: Signalk Signal K Server
CVE-2025-69203Same product: Signalk Signal K Server
CVE-2026-39320Same product: Signalk Signal K Server
CVE-2025-68272Same product: Signalk Signal K Server
CVE-2022-31764Shared CWE-913
CVE-2025-43984Shared CWE-78

Affected Assets

signalk
signal k server
≤ 2.19.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates inputs to the `/skServer/validateBackup` endpoint to prevent crafted requests from polluting the `restoreFilePath` internal state.

prevent

Enforces access controls on the `/skServer/validateBackup` endpoint to block unauthenticated attackers from manipulating server state.

prevent

Remediates the vulnerability by applying the vendor patch in Signal K Server version 2.19.0 that fixes the state pollution issue.

References