NAVTOR NavBox versions up to 4.16.1.20 contain hard-coded credentials in their SOAP/WCF implementation that could allow local attackers to bypass authentication and gain unauthorized access to privileged methods. Successful exploitation could enable attackers to write or overwrite files within application-controlled paths. NAVTOR released a patch in April 2026 (version 4.17.2.6 and later) with automatic updates for active connections.

Why it matters in Western Canada: NavBox is used in critical infrastructure environments across sectors including energy and transportation. Organizations in Western Canada operating this software should verify they are running patched versions to prevent unauthorized file modification and operational disruption.

CVEs: CVE-2026-21404

---

Summary generated from the original advisory. Read the full source: cisa-advisories