HarborGuard / CVE
Back to search
HIGHCVE-2026-42941Published Modified CNA icscert

CVE-2026-42941: MacGregor Voyage Data Recorder (VDR) G4e Use of Default Credentials

The Danelec MacGregor Voyage Data Recorder device includes a default username and password, with no enforced password change.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Default credentials in the Danelec MacGregor Voyage Data Recorder (VDR) G4e let anyone who can reach the device log in with a built-in username and password that the device does not force the operator to change. The flaw is reachable from an adjacent network (typically the shipboard LAN) without prior authentication and without any user interaction, giving an attacker high-impact read and write access to recorded voyage data and device settings. A patched-image rebuild at version 5.250 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI pipelines, including custom-built images that embed the affected VDR firmware components.

Available
Triage

Triage is available with the published CVSS v4.0 score of 8.7 (high) weighted against each customer organization's compliance policy, then routed to the inbox configured for that environment so the right team sees it.

Available
Patch

A patched-image rebuild at version 5.250 is available on HarborGuard for affected environments. Customers with auto-remediation enabled get the rebuilt image, an automated regression-test run, and a PR opened against affected workloads.

Available

Exploit Conditions

  • Network reachabilityDetail

    The attacker must be on an adjacent network such as the shipboard LAN or a connected VPN segment to reach the VDR.

  • AuthenticationNot required

    No prior credentials are needed because the device ships with a known default username and password and does not force a change.

  • Victim interactionNot required

    No operator action is required; the attacker logs in directly using the documented defaults.

  • Attack complexityDetail

    The exploit is reliable and condition-free since the default credentials are static and always accepted.

Blast Radius

  • Reads stored voyage data recordings, bridge audio, navigation logs, and device configuration through the authenticated interface.
  • Modifies device configuration and persisted recordings, undermining the integrity of voyage evidence used for incident investigation.
  • Disrupts recorder availability to a limited extent by altering settings or restarting services on the device.

How HarborGuard Handles This

Available on HarborGuard: a rebuilt image at version 5.250 ready to roll out to affected workloads. For customers who opt into auto-remediation, the rebuild is paired with a regression-test run and a PR opened against the affected workloads automatically; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. For environments where the VDR cannot be updated immediately, compensating controls such as isolating the device on a dedicated VLAN, restricting management access to a jump host, and changing the default credentials at first boot are recommended until 5.250 is deployed.

See how HarborGuard automates this

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
5.250
Affected Products
1

Fix available

5.250
Affected packages
  • Danelec / MacGregor Voyage Data Recorder (VDR) G4e
    < 5.250 (from 0)
CVSS Vector
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
References