CVE-2026-21404

MEDIUM 6.3

NAVTOR NavBox Use of Hard-coded Credentials

CVSS Score

6.3

EPSS Score

0.0%

EPSS Percentile

4th

NAVTOR NavBox through version 4.16.1.20 contains hard-coded credentials within its Windows Communication Foundation (SOAP) implementation. If the SOAP functionality is enabled, a local attacker can extract credentials to bypass the intended transfer workflow. Successful authentication against the SOAP interface grants access to privileged WCF methods, enabling an attacker to write or overwrite files within application-defined paths.

CWE	CWE-798
Vendor	navtor
Product	navbox
Published	Jun 4, 2026
Last Updated	Jun 5, 2026

Stay Ahead of the Next One

Get instant alerts for navtor navbox

Be the first to know when new medium vulnerabilities affecting navtor navbox are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Affected Versions

NAVTOR / NavBox

0 ≤ 4.16.1.20

References

NVD ↗ CVE.org ↗ EPSS Data ↗

cisa.gov: https://www.cisa.gov/news-events/ics-advisories/icsa-26-155-01 github.com: https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-155-01.json

Credits

Cydome Security Ltd reported this vulnerability to CISA.