CVE-2026-23515 is an OS command injection vulnerability classified under CWE-78 found in the SignalK signalk-server, a server application commonly deployed on central hubs in boats to manage navigation and system data. The flaw exists in versions prior to 1.5.0 and is triggered when the set-system-time plugin is enabled. The vulnerability stems from improper neutralization of special characters in shell commands constructed from navigation.datetime values received via WebSocket delta messages. Authenticated users with write permissions can exploit this to execute arbitrary shell commands on the underlying operating system, potentially gaining full control over the server. Moreover, if the SignalK server’s security is disabled, unauthenticated attackers can also exploit this vulnerability, significantly increasing the attack surface. The vulnerability affects confidentiality, integrity, and availability, as attackers can manipulate system time, execute arbitrary commands, and disrupt normal operations. The CVSS v3.1 score is 10.0 (critical), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and complete impact on CIA triad. Although no known exploits are reported in the wild, the critical nature and ease of exploitation make this a high-priority issue. The vulnerability is resolved in SignalK signalk-server version 1.5.0, which properly sanitizes inputs and avoids unsafe shell command construction.

For European organizations, especially those involved in maritime operations, shipping, and marine research, this vulnerability poses a severe risk. Compromise of a SignalK server could lead to unauthorized command execution on vessel central hubs, potentially disrupting navigation systems, manipulating system time, or causing denial of service. This could endanger vessel safety, cargo integrity, and crew security. Additionally, attackers could leverage compromised servers as footholds for lateral movement into broader maritime networks or shore-based infrastructure. The impact extends to commercial shipping companies, port authorities, and marine service providers who rely on SignalK for real-time navigation and system data. The critical severity and network exploitability mean attackers can remotely compromise systems without user interaction, increasing the likelihood of targeted attacks or automated exploitation attempts. The disruption could also affect compliance with maritime safety regulations and data protection laws applicable in Europe.

European organizations using SignalK signalk-server should immediately upgrade to version 1.5.0 or later to remediate this vulnerability. Until patching is complete, organizations should disable the set-system-time plugin if not essential, and ensure that security features on the SignalK server are enabled to prevent unauthenticated access. Network segmentation should be enforced to isolate SignalK servers from untrusted networks and limit exposure to the internet. Implement strict access controls and monitor WebSocket traffic for anomalous navigation.datetime values or suspicious command injection patterns. Employ runtime application self-protection (RASP) or intrusion detection systems (IDS) capable of detecting command injection attempts. Regularly audit server configurations and logs for signs of exploitation. Maritime operators should incorporate this vulnerability into their risk assessments and incident response plans, ensuring rapid detection and containment of any compromise. Collaboration with maritime cybersecurity authorities and sharing threat intelligence can enhance preparedness against exploitation attempts.