DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-23515: Mutiny on the Bounty: Full Root Compromise via Signal K Time Sync

#security #cve #cybersecurity

Mutiny on the Bounty: Full Root Compromise via Signal K Time Sync

Vulnerability ID: CVE-2026-23515
CVSS Score: 10.0
Published: 2026-02-02

A critical OS Command Injection vulnerability exists in the Signal K Server's set-system-time plugin. By sending a crafted WebSocket message to the navigation.datetime path, an authenticated (or unauthenticated, depending on config) attacker can inject arbitrary shell commands. Because the plugin requires sudo privileges to set the system time, this vulnerability typically results in immediate Remote Code Execution (RCE) as root, allowing full compromise of marine navigation systems.

TL;DR

Signal K's time-sync plugin blindly passed user input into a system shell command. Attackers can hijack the boat's server by sending a malicious 'time' update, gaining root access instantly. CVSS 10.0.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-78
  • Attack Vector: Network (AV:N)
  • CVSS v3.1: 10.0 (Critical)
  • Privileges Required: None / Low (Context Dependent)
  • Impact: Remote Code Execution (Root)
  • Patch Status: Available (v1.5.0)

Affected Systems

  • Signal K Server
  • set-system-time plugin < 1.5.0
  • Marine Navigation Systems utilizing Signal K
  • set-system-time: < 1.5.0 (Fixed in: 1.5.0)

Code Analysis

Commit: 75b11ea

Fix command injection vulnerability by validating datetime format

+            if (!/^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d+)?Z?$/.test(datetime)) {
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • N/A: Exploit logic is trivial via WebSocket delta messages; no public exploit script required for POC.

Mitigation Strategies

  • Input Validation (Whitelist)
  • Principle of Least Privilege
  • Network Segmentation
  • Sudo configuration hardening

Remediation Steps:

  1. Update set-system-time plugin to version 1.5.0 immediately.
  2. Verify Signal K Server is running with appropriate user permissions (not root).
  3. Audit /etc/sudoers to ensure the Signal K user is restricted to specific binaries.
  4. Enable Authentication in Signal K admin settings.

References

Read the full report for CVE-2026-23515 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)