CISA warns that unpatched MacGregor VDR G4e devices can be taken over by attackers.
The U.S. Cybersecurity and Infrastructure Security Agency published an advisory on May 28 identifying six high‑ and medium‑severity flaws in the MacGregor Voyage Data Recorder (VDR) G4e, all affecting firmware older than version 5.250. The issues include default usernames and passwords, hard‑coded credentials, insecure password hashes and a web‑admin interface that can edit authentication files. Danelec, the manufacturer, has released firmware 5.250 that addresses every listed vulnerability. The agency recommends ship operators install the update as soon as possible, preferably during the next service visit rather than waiting for an annual performance test.
Maritime control systems have long been a soft target for cyber‑actors because they often sit on isolated networks with lax credential hygiene. By exposing default accounts and weak hashing, the VDR could serve as an entry point to a vessel’s broader network, potentially allowing attackers to alter log data or disrupt navigation aids. Updating now removes a low‑effort foothold that aligns with the broader push to harden industrial control systems against supply‑chain style attacks.
The fix arrives amid a spate of similar patches for shipboard equipment, echoing the 2024 breach of a navigation system that leveraged default credentials. Operators who have deferred firmware updates for cost or schedule reasons should treat this as a reminder: the cheapest security lapse is often the one you never notice until it’s exploited.