CVE-2026-42941 Overview
CVE-2026-42941 affects the Danelec MacGregor Interschalt VDR G4e Voyage Data Recorder. The device ships with a default username and password and does not enforce a password change during initial setup. An attacker on the adjacent network can authenticate using factory credentials and gain access to a maritime safety-critical system. The flaw is classified under [CWE-1392: Use of Default Credentials].
The vulnerability is documented in CISA ICS Advisory ICSA-26-148-01 and the corresponding GitHub CSAF JSON File.
Critical Impact
An adjacent-network attacker can log in with factory-set credentials and read, alter, or disable voyage data recorder operations affecting vessel safety evidence.
Affected Products
- Danelec MacGregor Interschalt VDR G4e (hardware)
- Danelec MacGregor Interschalt VDR G4e firmware (all versions per advisory)
- Maritime deployments relying on the affected VDR for voyage data recording
Discovery Timeline
- 2026-05-29 - CVE-2026-42941 published to NVD
- 2026-06-04 - Last updated in NVD database
Technical Details for CVE-2026-42941
Vulnerability Analysis
The Interschalt VDR G4e ships with a manufacturer-defined username and password used for administrative access. The firmware does not require operators to replace these credentials during commissioning or first login. Any user with network reachability to the device management interface can authenticate using publicly known factory credentials.
The Voyage Data Recorder stores navigation, audio, radar, and sensor data used for incident investigation. Unauthorized access permits an attacker to view stored voyage data, modify configuration, or interrupt recording. This undermines the integrity of evidence that maritime authorities rely on after incidents.
The vulnerability is exploitable from the adjacent network, meaning the attacker must reach the vessel's onboard LAN or a connected segment. Confidentiality and integrity impact are rated High, while availability impact is Low.
Root Cause
The root cause is an insecure default configuration combined with the absence of a forced credential rotation workflow. The device accepts the documented factory credentials indefinitely unless operators voluntarily change them. [CWE-1392] specifically covers the use of default credentials shipped by a vendor.
Attack Vector
An attacker with access to the bridge network, a connected crew network, or any segment that routes to the VDR management interface can connect to the authentication service. The attacker submits the documented default username and password and gains an authenticated session. From that session, the attacker can manipulate device settings, exfiltrate recorded voyage data, or tamper with stored evidence.
No exploitation tooling is required beyond the publicly documented credentials. No proof-of-concept code is required to describe this issue, and none is referenced in the advisory.
Detection Methods for CVE-2026-42941
Indicators of Compromise
- Successful authentication events to the VDR using the documented default account name from unexpected source addresses
- Configuration changes on the VDR not associated with a scheduled maintenance window
- Gaps, truncations, or unexpected purges in the stored voyage data stream
- Outbound connections from the VDR to hosts not listed in the vessel's approved asset inventory
Detection Strategies
- Inventory all Danelec MacGregor Interschalt VDR G4e units and verify whether the default credentials remain in use
- Capture authentication logs from the VDR and forward them to a central log store for review against known administrator accounts
- Baseline normal VDR management traffic and alert on access from networks outside the bridge segment
- Periodically test the device with the documented default credentials to confirm they have been changed
Monitoring Recommendations
- Monitor the bridge and engineering network segments for new TCP sessions to the VDR management ports
- Alert on authentication attempts originating from crew Wi-Fi, satcom, or shore-connected segments
- Track configuration file hashes on the VDR and alert on any change outside maintenance windows
- Correlate VDR access events with crew watch schedules to identify out-of-band activity
How to Mitigate CVE-2026-42941
Immediate Actions Required
- Change the factory username and password on every Interschalt VDR G4e unit immediately and document the new credentials in a controlled credential vault
- Restrict network access to the VDR management interface to a dedicated maintenance VLAN reachable only by authorized engineers
- Disable or isolate any bridge between crew networks and the VDR network segment
- Contact Danelec through the Danelec Contact Page for vendor guidance and firmware status
Patch Information
The NVD entry and CISA ICS Advisory ICSA-26-148-01 do not list a fixed firmware version at the time of publication. Operators should track the advisory for updates and apply vendor-supplied firmware as soon as Danelec publishes a release that enforces credential change at first login.
Workarounds
- Replace default credentials with strong, unique passwords on each unit and store them in a managed password vault
- Place the VDR behind a firewall that permits only specific source addresses used by authorized maintenance staff
- Require multi-factor authentication on jump hosts used to reach the VDR maintenance VLAN
- Audit VDR access logs at every port call and after every crew rotation to confirm no unauthorized sessions occurred
# Configuration example
# Refer to vendor documentation for the exact CLI; the following illustrates the required hardening steps.
# 1. Authenticate with the current (default) credentials over the maintenance interface.
# 2. Replace the default administrative account password.
# 3. Disable or rename the default account if the firmware permits.
# 4. Restrict the management interface to the maintenance VLAN at the network layer.
# Example upstream firewall rule (Linux iptables):
iptables -A FORWARD -s 10.10.20.0/24 -d 10.10.99.10 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d 10.10.99.10 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
