Kaleris Navis N4 Terminal Operating System

Plan PatchCVSS 9.8ICS-CERT ICSA-25-175-01Jun 24, 2025

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Navis N4 Terminal Operating System versions before 4.0 contain unsafe deserialization and cleartext data transmission vulnerabilities in the Ultra Light Client component. Successful exploitation allows remote code execution and sensitive data extraction without authentication. The vulnerabilities affect the web-based Ultra Light Client interface used for terminal operations access. Kaleris has released patched versions for all supported release lines (3.1.44, 3.2.26, 3.3.27, 3.4.25, 3.5.18, 3.6.14, 3.7.0, 3.8.0, and 4.0), with version 4.0 replacing the vulnerable Ultra Light Client entirely with an HTML UI.

What this means

What could happen

An attacker could exploit the Navis N4 Terminal Operating System remotely to execute arbitrary commands on port operations or extract sensitive data. This could disrupt container terminal workflows, alter shipping operations, or compromise port security and operational data.

Who's at risk

Container terminal operators and port authorities using Kaleris Navis N4 Terminal Operating System (any version before 4.0) for cargo management, berth operations, or shipping logistics are affected. The risk is highest for deployments where the N4 system is internet-facing or accessible from untrusted networks.

How it could be exploited

An attacker with network access to the exposed Navis N4 Ultra Light Client endpoint (typically port 80/443) can send a crafted request that exploits unsafe deserialization (CWE-502) or cleartext data transmission (CWE-319) to achieve remote code execution on the N4 application server without authentication.

Prerequisites

Network reachability to the Navis N4 web interface or Ultra Light Client endpoint
N4 version before 4.0 with Ultra Light Client enabled
No prior authentication required

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)critical severityunsafe deserialization (CWE-502)cleartext data transmission (CWE-319)

Exploitability

Unlikely to be exploited — EPSS score 0.9%

Affected products (1)

ProductAffected VersionsFix Status

Navis N4: <4.0<4.03.1.44, 3.2.26, 3.3.27, 3.4.25, 3.5.18, 3.6.14, 3.7.0, 3.8.0, or 4.0

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDDisable the Ultra Light Client by blocking URLs matching '*.jnlp' and '/ulc' patterns at your firewall or load balancer, or comment out the client configuration in web.xml and restart the N4 server

HARDENINGPlace the Navis N4 system behind a firewall if not required to be internet-facing

HARDENINGEnable HTTPS/TLS on the N4 load balancer or firewall, and configure it with a reliable third-party firewall that includes DDoS protection

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Navis N4 to version 4.0 or the latest patch for your current version (3.1.44, 3.2.26, 3.3.27, 3.4.25, 3.5.18, 3.6.14, 3.7.0, or 3.8.0)

HARDENINGIf external access to N4 is required, implement network segmentation via VPN, authenticated jump system (Citrix/VDI), or IP whitelist for known external parties

HARDENINGRestrict the number of N4 nodes exposed to the internet to the minimum necessary for operations

CVEs (2)

CVE-2025-2566 CVE-2025-5087

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/13333387-65ad-4e5e-b380-04d6d034ea39

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.