Description
The Danelec MacGregor Voyage Data Recorder

device includes a default username and password, with no enforced password change.
Published: 2026-05-29
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from the default username and password credentials that remain unchanged when the MacGregor Voyage Data Recorder G4e devices are deployed. An attacker who can reach the device’s network interface can log in before any authentication policy is applied. This allows the attacker to read and modify the recorder’s configuration and captured data, potentially leading to data loss, tampering, or misuse of the vessel’s operational information. The weakness is a clear case of weak credential information, listed as CWE-1392.

Affected Systems

The affected product is the Danelec MacGregor Voyage Data Recorder (VDR) G4e. Devices running firmware versions before V5.250 are vulnerable. The firmware update V5.250, released by Danelec, removes the default credentials or enforces a mandatory password change.

Risk and Exploitability

The vulnerability has a CVSS score of 8.7, indicating a high severity. Because no EPSS score is available, the likelihood of exploitation cannot be quantified, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is a local or remote network connection to the VDR, where an attacker could obtain the device through default credentials. The combination of high severity and ease of exploitation presents a significant risk to asset confidentiality and integrity.

Generated by OpenCVE AI on May 29, 2026 at 19:24 UTC.

Remediation

Vendor Solution

Danelec has released firmware version V5.250 to resolve these vulnerabilities. Users of MacGregor Voyage Data Recorder (VDR) G4e devices are encouraged to update the firmware at the earliest service attendance rather than waiting for an annual performance test. Contact Danelec with additional questions:  https://www.danelec.com/contact

OpenCVE Recommended Actions

  • Upgrade the device firmware to version V5.250 as released by Danelec
  • Immediately change the default username and password after the firmware update
  • Restrict network access to the VDR to trusted personnel and secure subnets

Generated by OpenCVE AI on May 29, 2026 at 19:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description The Danelec MacGregor Voyage Data Recorder device includes a default username and password, with no enforced password change.
Title MacGregor Voyage Data Recorder (VDR) G4e Use of Default Credentials
Weaknesses CWE-1392
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-05-29T19:42:06.839Z

Reserved: 2026-05-07T16:55:26.092Z

Link: CVE-2026-42941

cve-icon Vulnrichment

Updated: 2026-05-29T19:41:58.497Z

cve-icon NVD

Status : Received

Published: 2026-05-29T19:16:23.970

Modified: 2026-05-29T19:16:23.970

Link: CVE-2026-42941

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T19:30:05Z

Weaknesses