Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the int...
Description
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state (`restoreFilePath`) of the server via the `/skServer/validateBackup` endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server configuration files (e.g., `security.json`, `package.json`), leading to account takeover and Remote Code Execution (RCE). Version 2.19.0 patches this vulnerability.
AI Analyst Comment
Remediation
Update Signal K Server is a server application that runs on a central hub in a Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Executive Summary:
A critical vulnerability exists in the Signal K Server application that allows an unauthenticated remote attacker to gain complete control of the server. By manipulating the backup validation process, an attacker can overwrite critical system files, leading to administrator account takeover and the ability to execute arbitrary code. This could result in the total compromise of the boat's central hub server, impacting systems it controls.
Vulnerability Details
CVE-ID: CVE-2025-66398
Affected Software: Signal K Server is a server application that runs on a central hub in a Multiple Products
Affected Versions: All versions prior to 2.19.0
Vulnerability: The vulnerability is a state pollution flaw in the
/skServer/validateBackupendpoint. An unauthenticated attacker can send a specially crafted request to this endpoint, which improperly sets an internal server variable (restoreFilePath) to a malicious path of their choosing. When a legitimate administrator subsequently performs a restore operation through the user interface, the server unknowingly uses the attacker-controlled file path, allowing the attacker to overwrite arbitrary files on the server. By targeting critical configuration files such assecurity.jsonorpackage.json, the attacker can disable security, create or modify user accounts to gain administrative access, or inject malicious commands to achieve Remote Code Execution (RCE).Business Impact
This vulnerability is rated as critical severity with a CVSS score of 9.6, reflecting the high potential for significant damage. Successful exploitation could lead to a complete compromise of the Signal K server, granting an attacker full administrative control. The consequences include unauthorized access to sensitive operational data, disruption of the boat's integrated systems, and the ability to use the compromised server to launch further attacks against other networked devices. For a maritime environment, this could pose a direct risk to the vessel's operational integrity and safety.
Remediation Plan
Immediate Action: Immediately upgrade all instances of Signal K Server to version 2.19.0 or later, as this version contains the patch for the vulnerability. After upgrading, review server configuration files, particularly
security.json, for any unauthorized modifications.Proactive Monitoring: System administrators should actively monitor web server access logs for any unusual or repeated requests to the
/skServer/validateBackupendpoint, especially from untrusted or external IP addresses. Implement file integrity monitoring on critical configuration files (security.json,package.json) to detect and alert on any unauthorized changes.Compensating Controls: If immediate patching is not feasible, implement network-level access controls to restrict access to the Signal K Server's administrative interface. Use a firewall or reverse proxy to block external access to the
/skServer/validateBackupendpoint. A Web Application Firewall (WAF) could also be configured to inspect and block requests containing malicious path traversal payloads targeting this endpoint.Exploitation Status
Public Exploit Available: false
Analyst Notes: As of the published date of Jan 1, 2026, there are no known public exploits or active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. However, due to its critical severity and the low complexity required for exploitation, the likelihood of an exploit being developed is high.
Analyst Recommendation
Given the critical CVSS score of 9.6 and the potential for unauthenticated remote code execution, this vulnerability represents a severe risk to the organization. We strongly recommend that all affected Signal K Server instances be patched to version 2.19.0 or later with the highest priority. If patching cannot be performed immediately, the compensating controls listed above should be implemented without delay to reduce the attack surface. Organizations should treat this as an urgent threat and prioritize remediation efforts to prevent a potential system compromise.