Description
Navtor NavBox exposes sensitive configuration and operational data due to missing authentication on HTTP API endpoints. An unauthenticated remote attacker with network access to the device can execute HTTP GET requests to TCP port 8080 to retrieve internal network parameters including ECDIS & OT Information, device identifiers, and service status logs.
Published: 2026-03-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Disclosure
Action: Patch ASAP
AI Analysis

Impact

The NavBox device allows unauthenticated HTTP GET requests on TCP port 8080, exposing internal network parameters, ECDIS and OT information, device identifiers, and service status logs. This missing authentication flaw (CWE‑306) lets a remote attacker learn detailed configuration and operational data that could be used for reconnaissance or to plan further attacks. The vulnerability is read‐only, so it does not grant code execution, but the sensitive data expose the device and network to significant risk.

Affected Systems

All NavTor NavBox devices running impacted firmware are affected. No specific version is listed, so any device that has not applied the vendor’s fix or upgraded firmware is vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity level for confidentiality and integrity. Although the EPSS score is below 1% and the vulnerability is not in the CISA KEV catalog, an attacker with network access to port 8080 can exploit the flaw remotely. The likelihood remains low, but the impact of disclosed configuration makes it a priority to mitigate.

Generated by OpenCVE AI on April 16, 2026 at 11:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NavBox firmware to the latest vendor release that enforces authentication on API endpoints.
  • Restrict external access to TCP port 8080 by blocking traffic at the network perimeter or using a firewall rule that allows only trusted IP ranges.
  • Place the device behind a VPN or internal management network and apply access control lists so that only authorized management hosts can reach the 8080 service.
  • If an immediate upgrade is not possible, implement an authentication proxy or reverse‑proxy that requires credentials before exposing the API.

Generated by OpenCVE AI on April 16, 2026 at 11:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP API Disclosure in Navtor NavBox

Tue, 10 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
References

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Navtor
Navtor navbox
Vendors & Products Navtor
Navtor navbox

Fri, 06 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description Navtor NavBox exposes sensitive configuration and operational data due to missing authentication on HTTP API endpoints. An unauthenticated remote attacker with network access to the device can execute HTTP GET requests to TCP port 8080 to retrieve internal network parameters including ECDIS & OT Information, device identifiers, and service status logs.
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Navtor Navbox
cve-icon MITRE

Status: PUBLISHED

Assigner: MHV

Published:

Updated: 2026-03-10T15:48:14.180Z

Reserved: 2026-02-19T14:48:29.327Z

Link: CVE-2026-2754

cve-icon Vulnrichment

Updated: 2026-03-09T20:58:10.370Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-06T15:16:11.320

Modified: 2026-03-10T18:18:49.983

Link: CVE-2026-2754

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:30:15Z

Weaknesses