MacGregor Voyage Data Recorder (VDR) G4e

Plan PatchCVSS 8.3ICS-CERT ICSA-26-148-01May 28, 2026

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

MacGregor Voyage Data Recorder (VDR) G4e devices contain multiple vulnerabilities allowing unauthenticated or inadequately-authenticated access to administrative functions. Affected versions are earlier than V5.250. Vulnerabilities include improper authentication (CWE-1392), plaintext credential storage (CWE-522), insufficient access control (CWE-916), and hard-coded or default credentials (CWE-798). Successful exploitation could grant an attacker full administrator access to modify or delete voyage records, disable monitoring systems, or interfere with critical maritime safety equipment.

What this means

What could happen

An attacker with network access to the VDR could gain full administrator control of the device, potentially altering or deleting critical voyage records, disabling safety monitoring, or disrupting maritime operations and accident investigation capabilities.

Who's at risk

Maritime operators and vessel managers using MacGregor Voyage Data Recorder (VDR) G4e systems. VDRs are critical safety and regulatory equipment on commercial vessels that continuously record bridge operations, audio, and navigation data for accident investigation and compliance purposes.

How it could be exploited

An attacker on the same network segment as the VDR G4e could exploit authentication or credential storage weaknesses to gain unauthenticated or easily-escalated access to the device, resulting in administrator-level control.

Prerequisites

Network access to the VDR G4e device (same local network or accessible from administrative network)
Device running firmware version below V5.250

remotely exploitabledefault credentials suspected (CWE-798)weak credential storage (CWE-522)affects safety/compliance systemshigh CVSS score (8.3)

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

MacGregor Voyage Data Recorder (VDR) G4e<V5.250Fix available

Remediation & Mitigation

0/1

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate MacGregor VDR G4e firmware to version V5.250 or later

CVEs (5)

CVE-2026-40425 CVE-2026-42929 CVE-2026-42941 CVE-2026-42951 CVE-2026-44611

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3bd94da1-b1ff-4e33-bf71-ef7b6e731b2d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.