CVE-2026-2754 identifies a critical security flaw in Navtor NavBox version 4.12.0.3, a maritime navigation and operational technology device. The vulnerability arises because the device's HTTP API endpoints on TCP port 8080 do not enforce any authentication, allowing unauthenticated remote attackers with network access to retrieve sensitive configuration and operational data. Specifically, attackers can execute HTTP GET requests to access internal network parameters, including Electronic Chart Display and Information System (ECDIS) data, Operational Technology (OT) information, device identifiers, and service status logs. This exposure is due to CWE-306, which denotes missing authentication for critical functions, a serious security design flaw. The vulnerability has a CVSS 3.1 base score of 7.5, reflecting high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impact limited to confidentiality (C:H), without affecting integrity or availability. Although no public exploits have been observed, the disclosed information could facilitate further targeted attacks or unauthorized access to maritime operational systems. NavBox is widely used in maritime navigation, making this vulnerability particularly concerning for vessels and maritime infrastructure relying on this product. The lack of authentication on sensitive API endpoints represents a critical security oversight that must be addressed to prevent unauthorized data disclosure and potential operational risks.

The primary impact of CVE-2026-2754 is the unauthorized disclosure of sensitive maritime operational data, including ECDIS and OT information, device identifiers, and service status logs. This information leakage can aid attackers in reconnaissance activities, enabling them to map internal network configurations and identify potential attack vectors. While the vulnerability does not directly allow modification or disruption of services, the exposed data could facilitate subsequent attacks such as targeted intrusions, spoofing, or manipulation of navigation systems. For organizations operating maritime vessels or infrastructure, this could lead to operational disruptions, safety risks, or compromise of sensitive navigation data. The vulnerability's ease of exploitation—requiring only network access and no authentication or user interaction—amplifies its risk. Additionally, attackers could leverage this information to bypass other security controls or escalate privileges in the maritime operational environment. The exposure of device identifiers and service logs may also aid in fingerprinting and persistent targeting of affected systems. Overall, the vulnerability poses a significant confidentiality risk with potential downstream impacts on maritime safety and operational integrity.

To mitigate CVE-2026-2754, organizations should immediately implement the following measures: 1) Apply any available patches or firmware updates from Navtor that address authentication enforcement on the HTTP API endpoints; if no patch is available, engage with Navtor support for guidance or temporary workarounds. 2) Restrict network access to TCP port 8080 on NavBox devices by implementing strict firewall rules and network segmentation, ensuring only authorized management systems can communicate with the device. 3) Deploy network monitoring and intrusion detection systems to detect and alert on unauthorized access attempts to the NavBox HTTP API. 4) Conduct regular security audits and penetration tests focused on maritime operational technology to identify similar authentication weaknesses. 5) Enforce strong access control policies and consider implementing VPN or other secure remote access methods for management interfaces. 6) Educate maritime IT and OT personnel about the risks of exposed APIs and the importance of securing device management interfaces. 7) Maintain an inventory of all NavBox devices and their firmware versions to prioritize remediation efforts. These steps go beyond generic advice by focusing on network-level controls, vendor engagement, and operational security practices tailored to maritime environments.