CVE-2026-21404

MEDIUM

NAVTOR NavBox Use of Hard-coded Credentials

Title source: cna

Description

NAVTOR NavBox through version 4.16.1.20 contains hard-coded credentials within its Windows Communication Foundation (SOAP) implementation. If the SOAP functionality is enabled, a local attacker can extract credentials to bypass the intended transfer workflow. Successful authentication against the SOAP interface grants access to privileged WCF methods, enabling an attacker to write or overwrite files within application-defined paths.

References (2)

Core 2

Core References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-155-01

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-155-01.json

Scores

CVSS v3 6.3

EPSS 0.0012

EPSS Percentile 2.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-798

Status published

Products (2)

NAVTOR/NavBox < 4.16.1.20

NAVTOR/NavBox 4.17.2.6

Published Jun 04, 2026

Tracked Since Jun 05, 2026