## MacGregor VDR G4e Vulnerabilities Expose Critical Infrastructure Researchers have uncovered several critical vulnerabilities in the **MacGregor Voyage Data Recorder (VDR) G4e**, a device widely used in the transportation sector. According to a report by **CISA**, successful exploitation of these flaws could grant attackers administrator-level control over affected systems. The affected product is: * MacGregor Voyage Data Recorder (VDR) G4e <V5.250 ### Vulnerability Breakdown The vulnerabilities, discovered by Andrew Tierney of **Pen Test Partners**, include: * **CVE-2026-42941**: Use of Default Credentials. The VDR device ships with a default username and password, and does not force users to change them. This vulnerability has a CVSS v3 score of 8.3. * **CVE-2026-42951**: Insufficiently Protected Credentials. An authenticated user can download a backup of the device that includes account data and password hashes. This vulnerability has a CVSS v3 score of 8.3. * **CVE-2026-42929**: Use of Hard-coded Credentials. The device includes default accounts with hard-coded credentials. This vulnerability has a CVSS v3 score of 8.3. ### Impact and Mitigation These vulnerabilities pose a significant risk, particularly within the transportation systems sector, as compromised VDRs could lead to data manipulation, system disruption, or other malicious activities. **CISA** urges organizations to implement the following defensive measures: * Minimize network exposure for all control system devices and systems, ensuring they are not directly accessible from the internet. * Locate control system networks and remote devices behind firewalls, isolating them from business networks. * When remote access is required, utilize secure methods like VPNs, ensuring that the VPN solutions are up-to-date with the latest security patches. * Perform proper impact analysis and risk assessment prior to deploying any defensive measures. **CISA** also provides recommended cybersecurity strategies for proactive defense of ICS assets, including the "Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies" document. Organizations that observe suspected malicious activity are encouraged to follow established internal procedures and report findings to **CISA** for tracking and correlation against other incidents. ### Vendor Information * **Vendor:** **Danelec** * **Affected Product:** MacGregor Voyage Data Recorder (VDR) G4e * **Affected Versions:** <V5.250 It is highly recommended that users of the affected **MacGregor** VDR G4e versions update their systems to a patched version as soon as it becomes available from **Danelec**.