Critical Credential Vulnerabilities in MacGregor Voyage Data Recorder (VDR) G4e (CVE‑2026‑42941) Threaten Maritime Operations
What It Is — The MacGregor Voyage Data Recorder (VDR) G4e ships with default, hard‑coded, and insufficiently protected credentials, allowing an adversary to obtain full administrator access. The flaw is tracked as CVE‑2026‑42941 and carries a CVSS v3.1 base score of 8.3 (High).
Exploitability — Exploits are trivial: knowledge of the default username/password or capture of weak password hashes is enough to gain admin rights. No sophisticated tooling is required, making the vulnerability actively exploitable in the wild.
Affected Products — Danelec MacGregor Voyage Data Recorder (VDR) G4e firmware < V5.250 (all versions prior to the vendor‑issued fix).
TPRM Impact — Shipping companies, port authorities, and logistics service providers that depend on VDR data for compliance, safety reporting, and operational analytics face:
- Unauthorized alteration or deletion of voyage logs, jeopardizing regulatory compliance.
- Potential disruption of vessel navigation and safety systems if the recorder is leveraged as a pivot point.
- Down‑stream risk to third‑party analytics platforms that ingest VDR data, creating a supply‑chain attack vector.
Recommended Actions —
- Update firmware to Danelec’s V5.250 release at the earliest service attendance.
- Reset all default credentials and enforce strong, unique passwords for each device.
- Disable unnecessary remote‑access services and place VDRs on isolated VLANs or air‑gapped networks.
- Implement continuous monitoring of VDR authentication logs and network traffic for anomalous activity.
- Document remediation in your third‑party risk register and verify compliance during the next audit cycle.
Source: CISA Advisory – ICSA‑26‑148‑01