MacGregor Voyage Data Recorder (VDR) G4e (CVE-2026-42941, CVE-2026-42951, CVE-2026-44611 +2 more)

What Happened

Security researchers discovered several flaws in MacGregor Voyage Data Recorder devices, which are used worldwide in the maritime transportation sector. These flaws include default passwords and weak security settings that could allow a hacker on the same network to gain full control over the device. If exploited, an attacker could access sensitive data or disrupt the device's operations. Organizations using these devices should update to firmware version V5.250 during their next service attendance to fix these issues.

Key Takeaways

• Multiple vulnerabilities exist in Danelec MacGregor Voyage Data Recorder (VDR) G4e devices prior to version V5.250.
• Flaws include the use of default and hard-coded credentials, weak password hashing, and unauthorized access to sensitive files.
• Successful exploitation could grant an attacker full administrator access to the device.
• Danelec has released firmware version V5.250 to remediate these issues, and users are encouraged to update at the earliest service attendance.

Affected Systems

• Danelec MacGregor Voyage Data Recorder (VDR) G4e versions prior to V5.250

Vulnerabilities (CVEs)

• CVE-2026-42941
• CVE-2026-42951
• CVE-2026-44611
• CVE-2026-42929
• CVE-2026-40425

Attack Chain

An attacker with adjacent network access to the VDR device could exploit default or hard-coded credentials to gain initial access. Once authenticated, the attacker could exploit weak password hashing or download device backups to extract further account data. Additionally, an administrator account could be abused to edit sensitive authentication files, potentially changing the root password and achieving full device compromise.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules or queries are provided in the advisory.

Detection Engineering Assessment

EDR Visibility: None — These are embedded ICS/Transportation devices (Voyage Data Recorders) which do not support standard EDR agents. Network Visibility: Medium — Network monitoring could detect anomalous access to the VDR web interface or unauthorized backup downloads, provided traffic is unencrypted or inspected. Detection Difficulty: Hard — Exploitation relies on valid (default/hardcoded) credentials and built-in web interface features, which blend in with legitimate administrative traffic.

Required Log Sources

• Network flow logs
• Web application firewall logs
• Device authentication logs

Hunting Hypotheses

Control Gaps

• Lack of enforced password changes on first use
• Insecure credential storage and weak hashing algorithms

Key Behavioral Indicators

• Unexpected backup downloads from the VDR device
• Authentication attempts using known default accounts from non-admin subnets

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Consider updating Danelec MacGregor Voyage Data Recorder (VDR) G4e devices to firmware version V5.250 at the earliest service attendance.
• If supported by the device, consider changing any default passwords immediately prior to patching.

Infrastructure Hardening

• Evaluate minimizing network exposure for all control system devices, ensuring they are not accessible from the internet.
• Consider locating control system networks and remote devices behind firewalls, isolating them from business networks.
• If remote access is required, consider implementing secure methods such as updated VPNs.

User Protection

• N/A

Security Awareness

• Ensure maintenance personnel are aware of the need to update VDR firmware during routine service attendances.

MITRE ATT&CK Mapping

• T1078.001 - Valid Accounts: Default Accounts
• T1552.001 - Unsecured Credentials: Credentials In Files
• T1110 - Brute Force