CISA flags CVE-2026-21404 in NAVTOR NavBox
The operational job is version verification, especially where air gaps or delayed updates turn automatic patching into an untested assumption.
TL;DR
CISA issued ICSA-26-155-01 for NAVTOR NavBox 4.16.1.20 and earlier, assigning CVE-2026-21404 a CVSS 3.1 score of 6.3. If SOAP is enabled, a local attacker can use hard-coded credentials to reach privileged Windows Communication Foundation methods and write or overwrite files. NAVTOR fixed the issue in 4.17.2.6 in April 2026. Contractors, certified third-party assessment organizations and assessors should verify versions where auto-update may lag; CISA reports no known public exploitation.
CISA’s NAVTOR NavBox advisory is mostly an inventory and version-control job. CISA says NAVTOR fixed CVE-2026-21404 in version 4.17.2.6 in April 2026; the June 4 advisory therefore lands after a patch path already exists, with auto-update available for systems with an active NavBox connection. The risk still matters in the environments that blunt that comfort: isolated operational technology networks, delayed maintenance windows and assessment scopes where nobody should assume a box updated itself. If SOAP is enabled, a local attacker can extract hard-coded credentials, authenticate to privileged Windows Communication Foundation methods, and write or overwrite files within application-defined paths. Contractors, certified third-party assessment organizations and assessors should verify the installed version and SOAP exposure, then document the result. CISA reports no known public exploitation and says the flaw is local, high-complexity and not remotely exploitable.
Published ·Deep Fathom