{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-42951", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2026-05-07T16:55:26.102Z", "datePublished": "2026-05-29T17:32:11.492Z", "dateUpdated": "2026-05-29T19:43:09.533Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-05-29T17:32:11.492Z"}, "title": "MacGregor Voyage Data Recorder (VDR) G4e Insufficiently Protected Credentials", "datePublic": "2026-05-28T17:22:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-522", "description": "CWE-522", "type": "CWE"}]}], "affected": [{"vendor": "Danelec", "product": "MacGregor Voyage Data Recorder (VDR) G4e", "versions": [{"status": "affected", "version": "0", "lessThan": "5.250", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "An authenticated\nuser can download a backup of the\u00a0Danelec MacGregor Voyage Data Recorder\n\n\ndevice which includes account data and password hashes.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<span>An authenticated</span>\n<span>user can download a backup of the&nbsp;</span><span>Danelec MacGregor Voyage Data Recorder</span>\n\n\n<span>device which includes account data and password hashes.</span>"}]}], "references": [{"url": "https://www.danelec.com/contact"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-01"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-01.json"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "ADJACENT", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.9, "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"}}], "solutions": [{"lang": "en", "value": "Danelec has released firmware version V5.250 to resolve these vulnerabilities. Users of MacGregor Voyage Data Recorder (VDR) G4e devices are encouraged to update the firmware at the earliest service attendance rather than waiting for an annual performance test. Contact Danelec with additional questions:\u00a0 https://www.danelec.com/contact", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<span>Danelec has released firmware version V5.250 to resolve these vulnerabilities. Users of MacGregor Voyage Data Recorder (VDR) G4e devices are encouraged to update the firmware at the earliest service attendance rather than waiting for an annual performance test. Contact Danelec with additional questions:&nbsp;</span><a href=\"https://www.danelec.com/contact\">https://www.danelec.com/contact</a>"}]}], "credits": [{"lang": "en", "value": "Andrew Tierney of Pen Test Partners reported these vulnerabilities to CISA.", "type": "finder"}], "source": {"advisory": "ICSA-26-148-01", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-29T19:42:42.913020Z", "id": "CVE-2026-42951", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-29T19:43:09.533Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-42951", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-29T19:42:42.913020Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-29T19:43:04.619Z"}}], "cna": {"title": "MacGregor Voyage Data Recorder (VDR) G4e Insufficiently Protected Credentials", "source": {"advisory": "ICSA-26-148-01", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Andrew Tierney of Pen Test Partners reported these vulnerabilities to CISA."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.9, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Danelec", "product": "MacGregor Voyage Data Recorder (VDR) G4e", "versions": [{"status": "affected", "version": "0", "lessThan": "5.250", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Danelec has released firmware version V5.250 to resolve these vulnerabilities. Users of MacGregor Voyage Data Recorder (VDR) G4e devices are encouraged to update the firmware at the earliest service attendance rather than waiting for an annual performance test. Contact Danelec with additional questions:\u00a0 https://www.danelec.com/contact", "supportingMedia": [{"type": "text/html", "value": "<span>Danelec has released firmware version V5.250 to resolve these vulnerabilities. Users of MacGregor Voyage Data Recorder (VDR) G4e devices are encouraged to update the firmware at the earliest service attendance rather than waiting for an annual performance test. Contact Danelec with additional questions:&nbsp;</span><a href=\"https://www.danelec.com/contact\">https://www.danelec.com/contact</a>", "base64": false}]}], "datePublic": "2026-05-28T17:22:00.000Z", "references": [{"url": "https://www.danelec.com/contact"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-01"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-01.json"}], "x_generator": {"engine": "Vulnogram 1.0.2"}, "descriptions": [{"lang": "en", "value": "An authenticated\nuser can download a backup of the\u00a0Danelec MacGregor Voyage Data Recorder\n\n\ndevice which includes account data and password hashes.", "supportingMedia": [{"type": "text/html", "value": "<span>An authenticated</span>\n<span>user can download a backup of the&nbsp;</span><span>Danelec MacGregor Voyage Data Recorder</span>\n\n\n<span>device which includes account data and password hashes.</span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-522", "description": "CWE-522"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-05-29T17:32:11.492Z"}}}, "cveMetadata": {"cveId": "CVE-2026-42951", "state": "PUBLISHED", "dateUpdated": "2026-05-29T19:43:09.533Z", "dateReserved": "2026-05-07T16:55:26.102Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2026-05-29T17:32:11.492Z", "assignerShortName": "icscert"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:macgregor:interschalt_vdr_g4e_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "9180A60B-ED37-4BC4-A254-B745A0236A2C", "versionEndExcluding": "5.250", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:macgregor:interschalt_vdr_g4e:-:*:*:*:*:*:*:*", "matchCriteriaId": "BF42A648-D783-4FCB-BE6A-C9D0EF0EB2F6", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An authenticated\nuser can download a backup of the\u00a0Danelec MacGregor Voyage Data Recorder\n\n\ndevice which includes account data and password hashes."}], "id": "CVE-2026-42951", "lastModified": "2026-06-04T18:30:26.580", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 4.2, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2026-05-29T19:16:24.113", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["US Government Resource", "Third Party Advisory"], "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-01.json"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["US Government Resource", "Third Party Advisory"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-01"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Product"], "url": "https://www.danelec.com/contact"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.250)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "MacGregor Voyage Data Recorder (VDR) G4e", "source": "cna", "vendor": "Danelec"}, "product": "macgregor_voyage_data_recorder_(vdr)_g4e", "vendor": "danelec"}], "created": "2026-05-29T19:30:05.841090+00:00", "updated": "2026-05-30T21:18:16.545642+00:00", "vendors": ["danelec", "danelec$PRODUCT$macgregor_voyage_data_recorder_(vdr)_g4e"]}