Kaleris Navis N4 Terminal Operating System

Act Now9.8ICS-CERT ICSA-25-175-01Jun 24, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Kaleris Navis N4 Terminal Operating System versions below 4.0 contain insecure deserialization (CWE-502) and unencrypted data transmission (CWE-319) vulnerabilities that allow remote code execution and sensitive information extraction. The Ultra Light Client interface is the primary attack vector. Affected versions include all 3.x releases up to 3.8.0. Successful exploitation allows an attacker to remotely execute arbitrary code on the N4 operating system without authentication.

What this means

What could happen

An attacker with network access to Navis N4 could execute arbitrary code on the terminal operating system, potentially gaining full control of port operations including vessel scheduling, cargo tracking, and equipment automation.

Who's at risk

Port terminal operators and maritime logistics providers using Kaleris Navis N4 should care about this issue. The N4 TOS controls vessel scheduling, cargo operations, gate management, and equipment automation—core functions of container and bulk cargo terminals.

How it could be exploited

An attacker on the network can send specially crafted requests to the exposed N4 system without authentication. The vulnerabilities (insecure deserialization and unencrypted data transmission) allow the attacker to either inject malicious objects or intercept and modify traffic to achieve remote code execution on the N4 server.

Prerequisites

Network reachability to the N4 system on its web service port
N4 exposed to the internet or accessible from an untrusted network
Ultra Light Client endpoint is enabled (default state)
No authentication required for initial exploitation

Remotely exploitableNo authentication requiredLow complexity attackAffects operational systems (port terminal operations)Affects sensitive data (cargo, vessel schedules)No patch available for versions below 4.0

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (1)

ProductAffected VersionsFix Status

Navis N4: <4.0<4.03.1.44, 3.2.26, 3.3.27, 3.4.25, 3.5.18, 3.6.14, 3.7.0, 3.8.0, or 4.0

Remediation & Mitigation

0/8

Do now

0/3

WORKAROUNDDisable the Ultra Light Client by blocking URLs matching patterns '*.jnlp' and '/ulc' at the firewall or load balancer, or by commenting out relevant code in web.xml and restarting the server

HARDENINGDo not expose N4 to the internet; place it behind a firewall and restrict to internal access only

HARDENINGIf internet exposure is required, set up a secure VPN connection for external access or implement an authenticated jump system (Citrix, VDI)

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to Navis N4 version 3.1.44 or later (3.2.26+, 3.3.27+, 3.4.25+, 3.5.18+, 3.6.14+, 3.7.0+, 3.8.0+ depending on current version), or upgrade to N4 4.0 where the vulnerable Ultra Light Client has been replaced

HARDENINGEnable and verify HTTPS is properly configured on the firewall and load balancer

HARDENINGImplement TLS in the load balancer per the Application Security Guide provided by Kaleris

Long-term hardening

0/2

HARDENINGRestrict the number of N4 nodes exposed to the internet to the minimum necessary

HARDENINGDeploy a third-party firewall with DDoS protection and intrusion detection in front of N4

CVEs (2)

CVE-2025-2566 CVE-2025-5087

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/13333387-65ad-4e5e-b380-04d6d034ea39