CVE-2025-68273

Leaking the Bilge: Signal K Server Unauthenticated Info Disclosure

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 2, 2026·5 min read·2 visits

Executive Summary (TL;DR)

Versions of Signal K Server prior to 2.19.0 allow unauthenticated access to sensitive diagnostic endpoints. Attackers can map serial ports, view the full server data schema, and fingerprint installed analyzers due to a missing authorization check in the application's middleware routing logic.

Signal K Server, the open-source nervous system for modern connected boats, suffered from a classic 'fail-open' security architecture. By forgetting to manually whitelist three API endpoints in a centralized security file, developers inadvertently exposed system internals and hardware configurations to unauthenticated remote attackers.

Official Patches

Signal KCommit fixing the missing route authorization
Signal KRelease notes for v2.19.0

Fix Analysis (1)

Technical Appendix

CVSS Score
5.3/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Probability
0.04%
Top 100% most exploited
2,500
via Shodan

Affected Systems

Signal K Server < 2.19.0

Affected Versions Detail

Product
Affected Versions
Fixed Version
Signal K Server
Signal K
< 2.19.02.19.0
AttributeDetail
CWE IDCWE-200
Attack VectorNetwork
CVSS Score5.3
ImpactInformation Disclosure
Patch Commitead2a03d8994969cafcca0320abee16f0e66e7a9
Exploit StatusPoC Available

MITRE ATT&CK Mapping

T1592Gather Victim Host Information
Reconnaissance
T1082System Information Discovery
Discovery
CWE-200
Information Disclosure

Exposure of Sensitive Information to an Unauthorized Actor

Known Exploits & Detection

Research AnalysisManual verification using curl confirms unauthenticated access to endpoints.

Vulnerability Timeline

Patch committed to master branch
2024-04-12
Version 2.19.0 released
2024-04-12
CVE Published
2025-02-14

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.