CVE-2026-42951: MacGregor VDR Information Disclosure Flaw

CVE-2026-42951 Overview

CVE-2026-42951 affects the Danelec MacGregor Interschalt Voyage Data Recorder (VDR) G4e, a maritime black box system used aboard commercial vessels. An authenticated user can download a full device backup that includes account data and password hashes. The exposure falls under CWE-522: Insufficiently Protected Credentials and enables offline cracking of stored hashes.

The issue is reachable from an adjacent network position with low privileges and no user interaction. Successful exploitation undermines the confidentiality of authentication material across the affected VDR firmware. The flaw was disclosed through CISA ICS Advisory ICSA-26-148-01.

Critical Impact

Authenticated attackers on the same network can extract password hashes from VDR backups and recover plaintext credentials offline, enabling lateral movement within shipboard systems.

Affected Products

• Danelec MacGregor Interschalt VDR G4e (hardware)
• Danelec MacGregor Interschalt VDR G4e firmware (all listed versions)
• Shipboard installations relying on the affected VDR firmware for voyage data recording

Discovery Timeline

• 2026-05-29 - CVE-2026-42951 published to NVD
• 2026-06-04 - Last updated in NVD database

Technical Details for CVE-2026-42951

Vulnerability Analysis

The Danelec MacGregor Interschalt VDR G4e exposes a backup download function to authenticated users. The generated backup archive includes account records and the password hashes associated with device users. Any account with login access, regardless of role separation, can retrieve this archive.

The vulnerability maps to CWE-522: Insufficiently Protected Credentials. The backup mechanism does not restrict sensitive credential material from inclusion in user-accessible exports. Once the archive is downloaded, an attacker can perform offline dictionary or brute-force attacks against the recovered hashes.

The EPSS score is 0.024% as of 2026-06-04, indicating low observed exploitation activity. However, VDR systems operate in segmented maritime networks where adjacent-network access often correlates with insider or post-compromise scenarios.

Root Cause

The backup feature bundles sensitive authentication data into a downloadable artifact without enforcing privilege separation or stripping credential fields. Password hashes should never appear in user-accessible exports. The design also lacks compensating controls such as encryption of sensitive sections of the backup with a key not held by standard user accounts.

Attack Vector

An attacker requires network adjacency to the VDR management interface and valid low-privilege credentials. After authenticating, the attacker invokes the backup download endpoint and retrieves the archive. The attacker then parses the archive offline, extracts hash material, and attempts credential recovery using standard cracking tools.

Recovered credentials can be replayed against the VDR itself or against other shipboard systems if operators reuse passwords. No exploitation code example is publicly available. See the CISA ICS Advisory ICSA-26-148-01 and the CISA CSAF document for technical details.

Detection Methods for CVE-2026-42951

Indicators of Compromise

• Unexpected backup download requests in VDR web interface or management API logs
• Authentication events from low-privilege accounts immediately followed by large outbound transfers from the VDR
• Repeated failed logins on shipboard systems consistent with offline-cracked credentials being replayed
• New or modified administrative accounts on the VDR following a backup retrieval event

Detection Strategies

• Audit VDR access logs for backup or export endpoint invocations and correlate with user identity and source IP
• Alert on backup downloads originating from accounts not designated for maintenance or service operations
• Baseline normal backup frequency and flag deviations, particularly downloads outside scheduled maintenance windows

Monitoring Recommendations

• Forward VDR authentication and administrative event logs to a central SIEM or syslog collector for retention and correlation
• Monitor the adjacent shipboard network segment for unusual host enumeration or service discovery against the VDR management interface
• Track credential reuse patterns by correlating VDR account names with logins on adjacent OT and IT systems

How to Mitigate CVE-2026-42951

Immediate Actions Required

• Contact Danelec via the official contact page to obtain firmware updates or guidance specific to the affected VDR G4e deployment
• Restrict access to the VDR management interface to a dedicated maintenance VLAN and authorized engineering hosts only
• Rotate all VDR account passwords and any credentials reused on adjacent shipboard systems
• Review historical logs for prior backup downloads and treat affected hashes as compromised

Patch Information

No vendor patch URL is listed in the enriched CVE data. Operators should reference the CISA ICS Advisory ICSA-26-148-01 and coordinate with Danelec MacGregor support for remediation timelines and firmware availability.

Workarounds

• Limit VDR account provisioning to the minimum number of operators required and remove unused accounts
• Enforce strong, unique passwords on all VDR accounts to increase the cost of offline hash cracking
• Segment the VDR from general shipboard networks and require jump-host access for administrative tasks
• Disable or tightly control any backup or export functionality available to non-administrative roles where supported by the device configuration