Critical RCE Flaw in Signal K Threatens Marine Vessels

A critical vulnerability in Signal K Server allows unauthenticated attackers to achieve remote code execution on marine vessel systems. CVE-2025-66398 carries a CVSS score of 9.6 and affects all versions of the popular open-source boat server software prior to 2.19.0.

Signal K Server functions as a central hub on vessels, aggregating data from navigation instruments, sensors, and onboard systems. Compromising it could give attackers visibility into—or control over—critical maritime systems.

What is Signal K?

Signal K is an open-source project that provides a modern data format and server infrastructure for boats. Think of it as the integration layer connecting GPS, depth sounders, wind instruments, autopilots, and other marine electronics into a unified system.

The Signal K Server runs on single-board computers like Raspberry Pi or dedicated marine hardware. It exposes web interfaces for configuration and data visualization, often accessible over the vessel's local network—and sometimes, unfortunately, exposed to the internet.

The project is popular among sailing enthusiasts, commercial marine operators, and anyone looking to modernize older vessel electronics. Its open-source nature and plugin architecture have driven significant adoption.

How CVE-2025-66398 Works

The vulnerability chains two weaknesses. First, an unauthenticated attacker can pollute the server's internal state—specifically a variable called restoreFilePath—through the /skServer/validateBackup endpoint. No login required.

This sets up the second stage: hijacking the administrator's "Restore" functionality. When an admin later performs a backup restore through the legitimate interface, the attacker-controlled file path determines where data gets written.

By overwriting critical configuration files like security.json or package.json, attackers can:

• Take over administrator accounts
• Modify server behavior
• Achieve remote code execution

The attack requires an administrator to trigger the restore after the attacker has polluted the state. But on actively-used vessels where configuration changes happen regularly, this condition may be met quickly.

Maritime Security Implications

Boats aren't typically thought of as cybersecurity targets, but they increasingly run complex networked systems. A compromised Signal K Server could:

• Feed false navigation data to displays and autopilots
• Access AIS information revealing vessel location and identity
• Disable or manipulate safety systems
• Serve as a pivot point for attacking other networked marine electronics

For commercial vessels, the stakes include cargo safety, crew welfare, and environmental protection. Yachts and recreational boats may hold less critical cargo but still represent privacy and safety concerns.

The maritime sector has lagged other industries in cybersecurity maturity. Many vessel systems were designed for isolated operation and lack authentication or encryption. Signal K's modern approach is actually an improvement over legacy marine electronics—but as this vulnerability shows, modern connected systems bring modern connected risks.

Remediation

Update Signal K Server to version 2.19.0 or later immediately. The patch addresses the state pollution vulnerability and prevents unauthenticated manipulation of restore paths.

For vessels that can't update immediately:

1. Restrict network access to the Signal K Server web interface
2. Avoid performing backup restores until patched
3. Monitor for unexpected configuration changes
4. Never expose Signal K directly to the internet

Many Signal K installations are accessible only on the vessel's local network, which limits exposure. But marina WiFi networks, cellular connections, and improper router configurations can inadvertently expose these systems. Operators should verify their network segmentation.

The Broader IoT Picture

Signal K is part of a broader pattern: specialized IoT systems designed by enthusiasts and small teams, focused on functionality over security. The Signal K project maintainers responded appropriately by patching the vulnerability, but the 9.6 CVSS score reflects how severe the design weakness was.

For security professionals, maritime IoT represents an overlooked attack surface. The industry's shift toward connected vessels creates opportunities for attackers who understand both networking and nautical systems.

Vessel operators should treat onboard computing systems with the same security rigor applied to shore-based infrastructure—regular updates, network segmentation, access controls, and monitoring. The romanticism of the open sea doesn't change the reality that connected systems face connected threats.