CVE-2026-2752
Analyzed Analyzed - Analysis Complete
Information Disclosure via Unhandled Exception in Navtor NavBox API

Publication date: 2026-03-06

Last updated on: 2026-06-15

Assigner: MHV

Description
Navtor NavBox allows information disclosure via the /api/ais-data endpoint. A remote, unauthenticated attacker can send crafted requests to trigger an unhandled exception, causing the server to return verbose .NET stack traces. These error messages expose internal class names, method calls, and third-party library references (e.g., System.Data.SQLite), which may assist attackers in mapping the application's internal structure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2752
EUVD
EUVD-2026-10037
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
navtor navbox_firmware From 4.12.0.3 (inc) to 4.16.2.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-209 The product generates an error message that includes sensitive information about its environment, users, or associated data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2752 is a vulnerability in Navtor NavBox that allows remote, unauthenticated attackers to send specially crafted requests to the /api/ais-data endpoint. This triggers an unhandled exception causing the server to return detailed .NET stack traces. These error messages expose internal class names, method calls, and third-party library references, which can help attackers understand the internal structure of the application.

Additionally, this vulnerability allows attackers to access exposed HTTP API endpoints without authentication, retrieving unencrypted JSON objects containing sensitive information such as environmental data, configuration parameters, operational telemetry, and service status.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information about the vessel’s internal network and maritime Industrial Control Systems/Operational Technology (ICS/OT) environment. Attackers gaining this insight may use it to plan further attacks or disrupt maritime cybersecurity.

The exposure of detailed internal application data and operational telemetry can compromise confidentiality, potentially leading to security breaches or operational disruptions.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by sending crafted HTTP requests to the /api/ais-data endpoint of the Navtor NavBox system and observing the server's response.

If the server returns verbose .NET stack traces containing internal class names, method calls, or third-party library references, it indicates the presence of the vulnerability.

A simple command to test this could be using curl to send a request and check the response for error stack traces.

  • curl -v http://<navbox-ip-or-hostname>/api/ais-data

If the response contains detailed .NET exception stack traces or sensitive internal information, the system is vulnerable.

Mitigation Strategies

Immediate mitigation involves updating the Navtor NavBox software to a patched version.

NAVTOR has addressed this vulnerability in NavBox version 4.16.2.4 and later, which include patches to prevent unauthenticated access to sensitive API endpoints.

Until the update can be applied, restrict network access to the NavBox system, especially blocking external or untrusted sources from accessing the /api/ais-data endpoint.

Implement network-level controls such as firewalls or access control lists (ACLs) to limit exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2752. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart