CVE-2026-23515 is an OS command injection vulnerability identified in the SignalK signalk-server, a server application used primarily on maritime vessels to centralize navigation and sensor data. The vulnerability exists in versions prior to 1.5.0 and is triggered when the set-system-time plugin is enabled. The root cause is the improper neutralization of special elements in OS commands (CWE-78), specifically due to unsafe construction of shell commands that incorporate navigation.datetime values received via WebSocket delta messages. Authenticated users with write permissions can exploit this vulnerability to execute arbitrary shell commands on the underlying operating system, potentially gaining full control over the server. Moreover, if the SignalK server’s security is disabled, unauthenticated attackers can also exploit this flaw, significantly broadening the attack surface. The vulnerability has a CVSS v3.1 score of 10.0, reflecting its critical nature with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality, integrity, and availability with a scope change. Although no exploits have been reported in the wild yet, the vulnerability’s characteristics make it highly exploitable and dangerous. The issue is resolved in SignalK signalk-server version 1.5.0, where proper input sanitization and command construction have been implemented to prevent injection. This vulnerability is particularly relevant for maritime organizations relying on SignalK servers for navigation and vessel management, as compromise could lead to manipulation of navigation data, disruption of vessel operations, or further lateral movement within maritime networks.

For European organizations, especially those involved in maritime operations, shipping, and marine research, this vulnerability poses a critical risk. Exploitation could lead to full system compromise of the SignalK server, allowing attackers to execute arbitrary commands, potentially disrupting navigation systems, altering vessel data, or causing denial of service. This could result in operational downtime, safety hazards at sea, and loss of sensitive navigation or operational data. Given the interconnected nature of maritime systems, a compromised SignalK server could serve as a pivot point for further attacks on onboard networks or shore-based infrastructure. The impact extends to regulatory compliance issues under EU maritime safety and cybersecurity regulations. Organizations with vessels operating in European waters or ports are at heightened risk, as attackers could leverage this vulnerability to interfere with critical maritime infrastructure. The critical severity and network exploitability mean that even remote attackers could cause significant harm if security controls are lax or outdated versions are in use.

1. Immediate upgrade of all SignalK signalk-server instances to version 1.5.0 or later, where the vulnerability is fixed. 2. Ensure that the set-system-time plugin is disabled if not required, reducing the attack surface. 3. Enforce strict authentication and authorization controls on the SignalK server to prevent unauthenticated access, especially disabling any configurations that allow security to be turned off. 4. Implement network segmentation to isolate SignalK servers from broader vessel or enterprise networks, limiting lateral movement if compromised. 5. Monitor WebSocket traffic and server logs for suspicious delta messages or command execution attempts indicative of exploitation attempts. 6. Conduct regular security audits and vulnerability scans on maritime IT infrastructure to detect outdated software versions. 7. Employ host-based intrusion detection systems on the SignalK server host to detect anomalous shell command executions. 8. Train maritime IT and operational staff on the risks of this vulnerability and the importance of timely patching and secure configurations. 9. Coordinate with maritime cybersecurity authorities and share threat intelligence to stay informed on emerging exploits or attack campaigns targeting SignalK servers.