A critical vulnerability exists in the Signal K Server application that allows an unauthenticated remote attacker to gain complete control of the server. By manipulating the backup validation process, an attacker can overwrite critical system files, leading to administrator account takeover and the ability to execute arbitrary code. This could result in the total compromise of the boat's central hub server, impacting systems it controls.

The vulnerability is a state pollution flaw in the /skServer/validateBackup endpoint. An unauthenticated attacker can send a specially crafted request to this endpoint, which improperly sets an internal server variable (restoreFilePath) to a malicious path of their choosing. When a legitimate administrator subsequently performs a restore operation through the user interface, the server unknowingly uses the attacker-controlled file path, allowing the attacker to overwrite arbitrary files on the server. By targeting critical configuration files such as security.json or package.json, the attacker can disable security, create or modify user accounts to gain administrative access, or inject malicious commands to achieve Remote Code Execution (RCE).

This vulnerability is rated as critical severity with a CVSS score of 9.6, reflecting the high potential for significant damage. Successful exploitation could lead to a complete compromise of the Signal K server, granting an attacker full administrative control. The consequences include unauthorized access to sensitive operational data, disruption of the boat's integrated systems, and the ability to use the compromised server to launch further attacks against other networked devices. For a maritime environment, this could pose a direct risk to the vessel's operational integrity and safety.

Immediate Action: Immediately upgrade all instances of Signal K Server to version 2.19.0 or later, as this version contains the patch for the vulnerability. After upgrading, review server configuration files, particularly security.json, for any unauthorized modifications.

Proactive Monitoring: System administrators should actively monitor web server access logs for any unusual or repeated requests to the /skServer/validateBackup endpoint, especially from untrusted or external IP addresses. Implement file integrity monitoring on critical configuration files (security.json, package.json) to detect and alert on any unauthorized changes.

Compensating Controls: If immediate patching is not feasible, implement network-level access controls to restrict access to the Signal K Server's administrative interface. Use a firewall or reverse proxy to block external access to the /skServer/validateBackup endpoint. A Web Application Firewall (WAF) could also be configured to inspect and block requests containing malicious path traversal payloads targeting this endpoint.

Public Exploit Available: false

Given the critical CVSS score of 9.6 and the potential for unauthenticated remote code execution, this vulnerability represents a severe risk to the organization. We strongly recommend that all affected Signal K Server instances be patched to version 2.19.0 or later with the highest priority. If patching cannot be performed immediately, the compensating controls listed above should be implemented without delay to reduce the attack surface. Organizations should treat this as an urgent threat and prioritize remediation efforts to prevent a potential system compromise.