Description
The administrator account for the

Danelec MacGregor Voyage Data Recorder
web interface can directly edit sensitive files related to authentication, potentially changing the root password.
Published: 2026-05-29
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Web interface’s administrator account can directly edit sensitive authentication files, enabling an attacker to alter the root password. This flaw allows elevated access or further tampering with system credentials, potentially leading to full control of the device. The weakness aligns with CWE‑552: Access Control Weakness.

Affected Systems

MacGregor Voyage Data Recorder (VDR) G4e devices produced by Danelec, affected by firmware versions before V5.250. The vendor recommends updating to firmware V5.250 or later to fix the issue.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium‑to‑high risk. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access to the web interface, typically through existing administrator credentials or a compromised account. Once authenticated, an attacker can change the root password, enabling persistent or elevated access.

Generated by OpenCVE AI on May 29, 2026 at 19:22 UTC.

Remediation

Vendor Solution

Danelec has released firmware version V5.250 to resolve these vulnerabilities. Users of MacGregor Voyage Data Recorder (VDR) G4e devices are encouraged to update the firmware at the earliest service attendance rather than waiting for an annual performance test. Contact Danelec with additional questions:  https://www.danelec.com/contact

OpenCVE Recommended Actions

  • Upgrade the device firmware to V5.250 or later
  • Revoke any compromised root credentials and establish fresh passwords compliant with security policies
  • Restrict Web interface access to trusted IP ranges or secure VPNs and monitor for unauthorized file modifications

Generated by OpenCVE AI on May 29, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description The administrator account for the Danelec MacGregor Voyage Data Recorder web interface can directly edit sensitive files related to authentication, potentially changing the root password.
Title MacGregor Voyage Data Recorder (VDR) G4e Files or Directories Accessible to External Parties
Weaknesses CWE-552
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-05-29T17:47:17.918Z

Reserved: 2026-05-07T16:55:26.137Z

Link: CVE-2026-40425

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-29T19:16:23.673

Modified: 2026-05-29T19:16:23.673

Link: CVE-2026-40425

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T19:30:05Z

Weaknesses