CVE-2026-23515

9.9 CRITICAL
Remote Code Execution

📋 TL;DR

Signal K Server versions before 1.5.0 contain a command injection vulnerability in the set-system-time plugin that allows authenticated users with write permissions to execute arbitrary shell commands on the server. Unauthenticated users can also exploit this if server security is disabled, potentially leading to complete system compromise on affected marine navigation systems.

💻 Affected Systems

Products:
  • Signal K Server
Versions: All versions prior to 1.5.0
Operating Systems: Linux, Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires set-system-time plugin to be enabled. Vulnerability exists when processing navigation.datetime values via WebSocket delta messages.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary commands as the server user, potentially gaining root access, installing malware, or disrupting critical marine navigation systems.

🟠

Likely Case

Authenticated users with write permissions could execute arbitrary commands, potentially compromising the server and connected marine systems.

🟢

If Mitigated

With proper authentication enabled and write permissions restricted, only trusted users could exploit, limiting impact to authorized personnel.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted WebSocket messages. Unauthenticated exploitation only possible when security is disabled on the Signal K server.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.0

Vendor Advisory: https://github.com/SignalK/signalk-server/security/advisories/GHSA-p8gp-2w28-mhwg

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Update Signal K Server to version 1.5.0 or later. 3. Restart the Signal K Server service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable set-system-time plugin

all

Temporarily disable the vulnerable plugin until patching can be completed

Edit Signal K Server configuration to remove or disable set-system-time plugin
Restart Signal K Server

Enable authentication

all

Ensure authentication is enabled on Signal K Server to prevent unauthenticated exploitation

Configure Signal K Server security settings to require authentication
Restart Signal K Server

🧯 If You Can't Patch

  • Disable the set-system-time plugin immediately
  • Enable authentication and restrict write permissions to trusted users only
  • Isolate Signal K Server from untrusted networks
  • Implement network segmentation to limit potential lateral movement

🔍 How to Verify

Check if Vulnerable:

Check if Signal K Server version is below 1.5.0 and set-system-time plugin is enabled

Check Version:

Check Signal K Server web interface or configuration files for version information

Verify Fix Applied:

Verify Signal K Server version is 1.5.0 or higher and the set-system-time plugin has been updated

📡 Detection & Monitoring

Log Indicators:

  • Unusual shell command execution from Signal K Server process
  • Suspicious WebSocket delta messages containing shell metacharacters
  • Failed authentication attempts followed by command execution

Network Indicators:

  • Unusual WebSocket traffic patterns to Signal K Server
  • Suspicious payloads in WebSocket messages containing shell commands

SIEM Query:

Process execution from Signal K Server containing suspicious commands OR WebSocket traffic to Signal K Server with shell metacharacters

📊 Metadata

CVE ID: CVE-2026-23515
CVSS v3 Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-78
Published: February 2, 2026
Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share This