CVE-2026-2754
Analyzed Analyzed - Analysis Complete
Unauthorized Access in Navtor NavBox HTTP API Exposes Sensitive Data

Publication date: 2026-03-06

Last updated on: 2026-06-05

Assigner: MHV

Description
Navtor NavBox exposes sensitive configuration and operational data due to missing authentication on HTTP API endpoints. An unauthenticated remote attacker with network access to the device can execute HTTP GET requests to TCP port 8080 to retrieve internal network parameters including ECDIS & OT Information, device identifiers, and service status logs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-06-05
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2754
EUVD
EUVD-2026-10039
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
navtor navbox_firmware From 4.12.0.3 (inc) to 4.16.2.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include restricting network access to the Navtor NavBox device, especially blocking unauthenticated access to TCP port 8080.

Upgrading the NavBox software to version 4.16.2.4 or later is recommended, as this version addresses the vulnerability by implementing proper authentication and fixing the information disclosure issue.

Additionally, monitor network traffic for unauthorized HTTP GET requests to port 8080 and consider implementing firewall rules to limit access to trusted hosts only.

Executive Summary

CVE-2026-2754 is an information disclosure vulnerability in Navtor NavBox devices. It occurs because the HTTP API endpoints on TCP port 8080 lack authentication, allowing unauthenticated remote attackers with network access to retrieve sensitive configuration and operational data. This includes internal network parameters, device identifiers, ECDIS & OT information, and service status logs.

Additionally, in NavBox version 4.12.0.3, attackers can trigger an unhandled exception that discloses a verbose stack trace revealing internal application details, which could aid further attacks.

Impact Analysis

This vulnerability can lead to the exposure of sensitive internal data without requiring any authentication, which compromises confidentiality. Attackers can gain access to network parameters, device identifiers, and operational logs, potentially enabling further targeted attacks or unauthorized network reconnaissance.

While it does not impact integrity or availability, the disclosure of sensitive information can undermine the security posture of affected systems.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by checking for the presence of Navtor NavBox devices exposing HTTP API endpoints on TCP port 8080 without authentication.

You can use network scanning tools to identify devices with open TCP port 8080 and then attempt HTTP GET requests to these endpoints to see if sensitive configuration and operational data are disclosed.

  • Use nmap to scan for open port 8080: nmap -p 8080 <target-ip>
  • Use curl or wget to send an HTTP GET request to the device on port 8080: curl http://<target-ip>:8080/
  • Check the response for sensitive information such as ECDIS & OT Information, device identifiers, or service status logs.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2754. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart