CVE-2026-40425: MacGregor VDR G4e Auth Bypass Vulnerability

CVE-2026-40425 Overview

CVE-2026-40425 affects the Danelec MacGregor Interschalt Voyage Data Recorder (VDR) G4e. The web interface grants the administrator account direct edit access to sensitive authentication files. An attacker with administrator privileges can modify these files to change the root password and escalate to full system control. The vulnerability is classified under [CWE-552] Files or Directories Accessible to External Parties. Exploitation requires adjacent network access and high privileges, but the resulting impact extends beyond the web application into the underlying operating system of a maritime safety device.

Critical Impact

An authenticated administrator can directly edit authentication files through the web interface, change the root password, and gain persistent root-level control of the Voyage Data Recorder.

Affected Products

• Danelec MacGregor Interschalt VDR G4e (hardware)
• Danelec MacGregor Interschalt VDR G4e Firmware (all versions per CISA advisory ICSA-26-148-01)
• Maritime Voyage Data Recorder deployments using the affected web management interface

Discovery Timeline

• 2026-05-29 - CVE-2026-40425 published to the National Vulnerability Database
• 2026-06-03 - Last updated in NVD database
• 2026-06-04 - EPSS scoring data published

Technical Details for CVE-2026-40425

Vulnerability Analysis

The Danelec MacGregor Interschalt VDR G4e provides a web-based administration interface for configuring the Voyage Data Recorder. The interface exposes a file editing capability to the administrator account without restricting which files the administrator can modify. Sensitive operating system files governing authentication, including those that define the root account credentials, fall within the scope of editable paths.

An administrator can open authentication-related files such as /etc/passwd or /etc/shadow through the web interface and rewrite their contents. Modifying the root password hash converts a web administrator role into full root access on the underlying Linux host. This breaks the security boundary between the management application and the operating system on which it runs.

The issue maps to [CWE-552] because resources that should be isolated from the application layer are reachable through it. The vulnerability does not require code execution exploits or memory corruption — it abuses an over-privileged feature exposed in the product design.

Root Cause

The web interface enforces no allow-list or path restriction on its file editor. The administrator role inherits unconstrained filesystem write capability on the host, including write access to credential stores. There is no separation between application-level administration and operating system-level administration.

Attack Vector

Exploitation requires network adjacency to the VDR — typically a shipboard LAN segment — and valid administrator credentials for the web interface. The attacker authenticates to the web console, navigates to the file editor, and writes a new password hash or account entry into the authentication files. The attacker can then log in as root through any exposed shell service, achieving persistent access independent of the web application.

The vulnerability mechanism is documented in the CISA ICS Advisory ICSA-26-148-01 and the corresponding GitHub CSAF Resource. No public proof-of-concept code is available.

Detection Methods for CVE-2026-40425

Indicators of Compromise

• Unexpected modifications to /etc/passwd, /etc/shadow, or related authentication files on the VDR host
• New or altered entries for the root account with unfamiliar password hashes
• Web interface audit log entries showing administrator access to the file editor targeting authentication paths
• Successful root logins via SSH, console, or other shell services from previously unseen sources on the shipboard network

Detection Strategies

• Compare the contents of authentication files against a known-good baseline taken from a freshly provisioned VDR firmware image
• Correlate web interface file-editor activity with subsequent privileged shell sessions within a short time window
• Alert on any write activity to authentication files outside of vendor firmware update windows

Monitoring Recommendations

• Forward VDR web interface and system authentication logs to a central log store for retention and analysis
• Monitor adjacent network segments for unauthorized devices that could reach the VDR management interface
• Track administrator account session activity, including idle file editor access to sensitive directories

How to Mitigate CVE-2026-40425

Immediate Actions Required

• Restrict network access to the VDR web interface to a dedicated, isolated management VLAN reachable only by authorized maintenance personnel
• Rotate the administrator credentials and remove any shared or default accounts in use on the VDR
• Inspect authentication files on each deployed VDR for unexpected modifications and reimage devices with confirmed tampering
• Contact Danelec via the Danelec Contact Page to obtain remediation guidance for affected fleets

Patch Information

No vendor patch is referenced in the NVD record at publication. Operators should follow the mitigations outlined in CISA ICS Advisory ICSA-26-148-01 and coordinate directly with Danelec for firmware updates. Until a fix is released, the vulnerability must be managed by reducing exposure and tightening administrator account controls.

Workarounds

• Limit physical and network access to the VDR so that only ship officers and authorized service technicians can reach the web interface
• Disable or block remote shell services on the VDR host where not strictly required for operations
• Implement strict change control on administrator credentials and review all use of the web interface file editor
• Segment the VDR from general shipboard IT networks using firewalls or unidirectional gateways where supported