CVE-2026-2754
Published: 06 March 2026
Summary
CVE-2026-2754 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Navtor Navbox Firmware. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-2754 is a missing authentication vulnerability (CWE-306) in Navtor NavBox version 4.12.0.3, where HTTP API endpoints on TCP port 8080 lack proper authentication controls. This exposure allows access to sensitive configuration and operational data, including internal network parameters, ECDIS and OT information, device identifiers, and service status logs. Published on 2026-03-06, the vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its high confidentiality impact with network-wide attack complexity.
An unauthenticated remote attacker with network access to the affected device can exploit this vulnerability by sending HTTP GET requests to the exposed API endpoints on port 8080. Successful exploitation enables retrieval of the sensitive data without requiring privileges, user interaction, or scope changes, potentially compromising operational technology environments in maritime settings.
Mitigation details are outlined in advisories from Cydome at https://cydome.io/vulnerability-advisory-cve-2026-2754-in-navtor-navbox-version-4-12-0-3 and Navtor's vendor statement at https://www.navtor.com/navtor-vendor-statement. Security practitioners should consult these resources for patching instructions, workarounds, and affected version confirmations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10039
Vulnerability details
Navtor NavBox exposes sensitive configuration and operational data due to missing authentication on HTTP API endpoints. An unauthenticated remote attacker with network access to the device can execute HTTP GET requests to TCP port 8080 to retrieve internal network parameters…
more
including ECDIS & OT Information, device identifiers, and service status logs.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing auth on public HTTP API (port 8080) directly enables T1190 for initial remote access; retrieved config/OT/network data directly facilitates T1005 (local system data), T1082 (system info), and T1016 (network config discovery).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for logical access to system resources in accordance with applicable access control policies, directly preventing unauthenticated retrieval of sensitive data via HTTP API endpoints.
Uniquely identifies and authenticates non-organizational users or processes acting on their behalf before allowing access to the system, mitigating exploitation by unauthenticated remote attackers.
Defines and documents specific user or process actions that can be performed without identification or authentication while prohibiting access to sensitive configuration and operational data endpoints.