Description
Danelec MacGregor Voyage Data Recorder
includes default accounts with hard-coded credentials.
Published: 2026-05-29
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the presence of default accounts with hard-coded credentials in the MacGregor Voyage Data Recorder (VDR) G4e firmware. An attacker who discovers these credentials can authenticate to the device without performing legitimate user authentication, enabling them to potentially modify configuration settings, tamper with recorded data, or deploy malicious firmware updates. The weakness is classified as CWE‑798, which in practice can lead to full control over the recorder’s functions.

Affected Systems

Danelec’s MacGregor Voyage Data Recorder, model G4e, is affected. Users running firmware versions prior to the released V5.250 update are at risk. The vendor recommends updating to V5.250 at the earliest opportunity rather than awaiting routine service intervals.

Risk and Exploitability

The CVSS score of 8.7 signals high severity, and the absence of an EPSS value does not negate a significant exploitation probability, especially for an industrial control system component that is often networked. The device is not listed in the CISA KEV catalog, but the presence of hard-coded credentials provides a straightforward remote or local attack path for an adversary. The likely vector involves network access to the device’s management interface, allowing legitimate credentials to be used to gain entry.

Generated by OpenCVE AI on May 29, 2026 at 19:23 UTC.

Remediation

Vendor Solution

Danelec has released firmware version V5.250 to resolve these vulnerabilities. Users of MacGregor Voyage Data Recorder (VDR) G4e devices are encouraged to update the firmware at the earliest service attendance rather than waiting for an annual performance test. Contact Danelec with additional questions:  https://www.danelec.com/contact

OpenCVE Recommended Actions

  • Update the device firmware to version V5.250 or later as released by Danelec.
  • Immediately log into the device and change or disable the default hard‑coded credentials to unique, complex values.
  • Implement network segmentation or firewall rules to limit access to the VDR and monitor authentication logs for anomalous activity.

Generated by OpenCVE AI on May 29, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Danelec MacGregor Voyage Data Recorder includes default accounts with hard-coded credentials.
Title MacGregor Voyage Data Recorder (VDR) G4e Use of Hard-coded Credentials
Weaknesses CWE-798
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-05-29T19:45:30.368Z

Reserved: 2026-05-07T16:55:26.131Z

Link: CVE-2026-42929

cve-icon Vulnrichment

Updated: 2026-05-29T19:45:24.777Z

cve-icon NVD

Status : Received

Published: 2026-05-29T19:16:23.830

Modified: 2026-05-29T19:16:23.830

Link: CVE-2026-42929

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T19:30:05Z

Weaknesses