SignalK signalk-server, a central hub server application used in maritime environments, suffers from a critical authentication bypass vulnerability (CVE-2025-68620) in versions prior to 2.19.0. The vulnerability exploits two unauthenticated features that can be chained to steal JWT authentication tokens without prior authentication. First, the server's WebSocket stream endpoint with the `serverevents=all` parameter broadcasts cached server events, including sensitive ACCESS_REQUEST events, to readonly users, which can include unauthenticated clients if the `allow_readonly` setting is enabled. This allows attackers to enumerate pending access requests, revealing request IDs, client identifiers, requested permissions, and IP addresses. Second, the REST API endpoint `/signalk/v1/access/requests/:id` returns the full state of an access request, including the issued JWT token upon administrator approval, without requiring authentication. This endpoint uses readonly authentication, permitting unauthenticated access. Attackers can exploit these flaws in two ways: by creating spoofed access requests (leveraging IP spoofing) and polling their request status until approval, or by passively monitoring WebSocket streams to discover legitimate request IDs and polling those to steal tokens. Both methods require no authentication or user interaction, enabling complete authentication bypass and credential theft. The vulnerability impacts confidentiality and integrity severely but does not affect availability. The issue was addressed in SignalK version 2.19.0 by enforcing proper authorization checks on WebSocket event delivery and access request polling. No known exploits are currently in the wild, but the high CVSS score (9.1) reflects the critical nature of the flaw and ease of exploitation.

For European organizations, particularly those in the maritime sector using SignalK signalk-server to manage connected boat systems, this vulnerability poses a severe risk. Attackers can gain unauthorized access to device credentials, enabling them to impersonate legitimate devices or users, manipulate data streams, and potentially disrupt navigation or monitoring systems. The confidentiality breach of JWT tokens could lead to further lateral movement within maritime IoT networks, exposing sensitive operational data. Integrity of system data is compromised as attackers can issue commands or alter device states under stolen credentials. Although availability is not directly impacted, the loss of trust and control over critical maritime systems could have operational and safety consequences. European maritime companies, port authorities, and service providers relying on SignalK infrastructure must consider this vulnerability a high priority due to the critical nature of maritime operations and regulatory compliance requirements around cybersecurity.

The primary mitigation is to upgrade all SignalK signalk-server instances to version 2.19.0 or later, where the vulnerability is fixed. Until upgrades can be performed, organizations should: 1) Disable or restrict the `allow_readonly` setting to prevent unauthenticated readonly WebSocket connections. 2) Restrict network access to the WebSocket stream endpoint and the `/signalk/v1/access/requests/:id` REST API endpoint using firewall rules or network segmentation to trusted clients only. 3) Monitor access logs for unusual WebSocket connections or polling activity indicative of enumeration attempts. 4) Implement strict IP filtering and validation to prevent IP spoofing attacks that facilitate creating convincing spoofed access requests. 5) Educate administrators to promptly review and approve access requests only after thorough validation to reduce risk of token issuance to attackers. 6) Employ network intrusion detection systems tuned to detect anomalous WebSocket and REST API usage patterns. These targeted mitigations go beyond generic advice by focusing on configuration hardening and network-level controls specific to the vulnerability's exploitation vectors.