Cyber Resilience

CVE-2026-2754

HighUpdated

Published: 06 March 2026

Published
06 March 2026
Modified
05 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0006 18.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2754 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Navtor Navbox Firmware. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-2754 is a missing authentication vulnerability (CWE-306) in Navtor NavBox version 4.12.0.3, where HTTP API endpoints on TCP port 8080 lack proper authentication controls. This exposure allows access to sensitive configuration and operational data, including internal network parameters, ECDIS and OT information, device identifiers, and service status logs. Published on 2026-03-06, the vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its high confidentiality impact with network-wide attack complexity.

An unauthenticated remote attacker with network access to the affected device can exploit this vulnerability by sending HTTP GET requests to the exposed API endpoints on port 8080. Successful exploitation enables retrieval of the sensitive data without requiring privileges, user interaction, or scope changes, potentially compromising operational technology environments in maritime settings.

Mitigation details are outlined in advisories from Cydome at https://cydome.io/vulnerability-advisory-cve-2026-2754-in-navtor-navbox-version-4-12-0-3 and Navtor's vendor statement at https://www.navtor.com/navtor-vendor-statement. Security practitioners should consult these resources for patching instructions, workarounds, and affected version confirmations.

EU & UK References

Vulnerability details

Navtor NavBox exposes sensitive configuration and operational data due to missing authentication on HTTP API endpoints. An unauthenticated remote attacker with network access to the device can execute HTTP GET requests to TCP port 8080 to retrieve internal network parameters…

more

including ECDIS & OT Information, device identifiers, and service status logs.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
T1016 System Network Configuration Discovery Discovery
Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems.
Why these techniques?

Missing auth on public HTTP API (port 8080) directly enables T1190 for initial remote access; retrieved config/OT/network data directly facilitates T1005 (local system data), T1082 (system info), and T1016 (network config discovery).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-2753Same product: Navtor Navbox
CVE-2026-32646Shared CWE-306
CVE-2025-30111Shared CWE-306
CVE-2024-13186Shared CWE-306
CVE-2026-34732Shared CWE-306
CVE-2025-25224Shared CWE-306
CVE-2025-43428Shared CWE-306
CVE-2025-24865Shared CWE-306
CVE-2025-0108Shared CWE-306
CVE-2025-21515Shared CWE-306

Affected Assets

navtor
navbox firmware
4.12.0.3 — 4.16.2.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access to system resources in accordance with applicable access control policies, directly preventing unauthenticated retrieval of sensitive data via HTTP API endpoints.

prevent

Uniquely identifies and authenticates non-organizational users or processes acting on their behalf before allowing access to the system, mitigating exploitation by unauthenticated remote attackers.

prevent

Defines and documents specific user or process actions that can be performed without identification or authentication while prohibiting access to sensitive configuration and operational data endpoints.

References