CVE-2026-21404

Published: Giu 04, 2026 Last Modified: Giu 04, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 5,8
Source: [email protected]
Attack Vector: local
Attack Complexity: high
Privileges Required: low
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A
MEDIUM 6,3
Source: [email protected]
Attack Vector: local
Attack Complexity: high
Privileges Required: low
User Interaction: none
Scope: unchanged
Confidentiality: none
Integrity: high
Availability: high

Description

AI Translation Available

NAVTOR NavBox through version 4.16.1.20 contains hard-coded credentials within its Windows Communication Foundation (SOAP) implementation. If the SOAP functionality is enabled, a local attacker can extract credentials to bypass the intended transfer workflow. Successful authentication against the SOAP interface grants access to privileged WCF methods, enabling an attacker to write or overwrite files within application-defined paths.

798

Use of Hard-coded Credentials

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Access Control Integrity Confidentiality Availability Other
Potential Impacts:
Bypass Protection Mechanism Read Application Data Gain Privileges Or Assume Identity Execute Unauthorized Code Or Commands Other
Applicable Platforms
Technologies: Mobile, ICS/OT
Likelihood of Exploit: High
View CWE Details
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/…
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-1…
https://www.cisa.gov/news-events/ics-advisories/icsa-26-155…
https://www.cisa.gov/news-events/ics-advisories/icsa-26-155-01