NAVTOR NavBox Use of Hard-coded Credentials
CVE-2026-21404

5.8MEDIUM

Key Information:

Vendor: Navtor
Status: Navbox
Vendor: CVE Published:; 4 June 2026

What is CVE-2026-21404?

NAVTOR NavBox through version 4.16.1.20 contains hard-coded credentials within its Windows Communication Foundation (SOAP) implementation. If the SOAP functionality is enabled, a local attacker can extract credentials to bypass the intended transfer workflow. Successful authentication against the SOAP interface grants access to privileged WCF methods, enabling an attacker to write or overwrite files within application-defined paths.

Affected Version(s)

NavBox 0 <= 4.16.1.20

NavBox 4.17.2.6

References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-1...

https://github.com/cisagov/CSAF/blob/develop/csaf_files/O...

CVSS V4

Score:

5.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 4, 2026
Vulnerability Reserved
Jan 27, 2026

Credit

Cydome Security Ltd reported this vulnerability to CISA.

CVE-2026-21404 Data

JSON

Navtor

What is CVE-2026-21404?

Affected Version(s)

References

CVSS V4

Timeline

Credit