CVE-2025-68620
9.10.17%
Signal K: Sinking the Ship with a Leaky WebSocket
Alon Barad
Software EngineerJan 2, 2026·7 min read·8 visits
PoC Available
Executive Summary (TL;DR)
Signal K Server broadcasted sensitive 'access request' events—including request IDs—to unauthenticated WebSocket clients. Coupled with a polling endpoint that returned plaintext JWTs upon request approval, this allowed attackers to passively snoop on legitimate login attempts and steal the resulting session tokens, granting full administrative control over the vessel's data server.
A critical authentication bypass in Signal K Server allows unauthenticated attackers to hijack administrative sessions. By listening to the public WebSocket stream for access request IDs and polling an insecure REST endpoint, attackers can steal valid JWTs the moment an administrator approves a legitimate device.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
9.1/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NEPSS Probability
0.17%
Top 100% most exploited
2,500
Estimated exposed hosts via Shodan
Affected Systems
Signal K Server
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Signal K Server Signal K | < 2.19.0 | 2.19.0 |
| Attribute | Detail |
|---|---|
| Attack Vector | Network (WebSocket & REST) |
| CVSS v3.1 | 9.1 (Critical) |
| CWE | CWE-306 (Missing Authentication for Critical Function) |
| Exploit Status | PoC Available |
| Impact | Full Admin Compromise |
| Prerequisites | None (Unauthenticated) |
MITRE ATT&CK Mapping
CWE-306
Missing Authentication for Critical Function
The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Known Exploits & Detection
Vulnerability Timeline
Patch Committed (v2.19.0)
2025-01-20
CVE Published
2025-02-14