IoT, Potential Risk of CVE, Public safety

CVE-2025-68620: Signal K Server, no authentication is required, and authentication can be completely bypassed. (5th Jan 2026)

Leave a comment

NVD Published Date: 01/01/2026

Preface: Signal K’s popularity in the IoT space, especially in marine tech, is growing due to its open-source nature, enabling advanced, connected, and personalized vessel data systems, integrating with trends like AI, edge computing (via Meshtastic), and edge devices for remote monitoring and control, mirroring the broader IoT boom expected to hit 70+ billion devices by 2025.

GPS tells a ship where it is using satellites (passive location), while AIS (Automatic Identification System) is a communication system that broadcasts and receives data like who it is, where it’s going, and its position to other vessels using VHF radio (active sharing), often using GPS data as its source for location.

Background: When a client connects to a server’s event stream endpoint using a WebSocket or an HTTP request with a specific query parameter (e.g., serverevents=all), the server is designed to send all cached server events, including ACCESS_REQUEST events. 

This mechanism typically operates as follows:

Connection and Parameter Usage 

  • WebSocket: A client establishes a WebSocket connection using a URL that includes the desired query parameter, such as wss://server-address/stream?serverevents=all.
  • HTTP (Server-Sent Events): The client makes a long-lived HTTP GET request (using the EventSource API in a browser) to a similar URL, like https://server-address/stream?serverevents=all.
  • Server Logic: The server’s event handling function iterates over its internal cache of past events and writes each one to the newly connected client as part of the initial data synchronization. 

Ref: The original NMEA 2000 and automotive CAN bus protocols do not have built-in authentication or encryption requirements. The design of these standards focused on reliable data exchange and real-time performance, not cybersecurity.

Vulnerability details: When a client connects to a server event stream endpoint using a WebSocket or an HTTP request was approved .In essence, if anonymous send HTTP request with a specific query parameter (e.g., serverevents=all), the signalK-server will send all cached server events, including ACCESS_REQUEST events.

If anonymous receive the events, try and error polls those IDs. Under this try action. They have change to steals the JWT tokens (administrators approved).

Ref: Cached ACCESS_REQUEST Events – Among these cached events are ACCESS_REQUEST objects. These contain sensitive details about pending security access requests, including:

  • Request IDs
  • Client identifiers and descriptions
  • Requested permission levels (e.g., admin, read-only)
  • Client IP addresses

Remedy: SignalK-server Version 2.19.0 fixes the underlying issues

Official announcement: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2025-68620

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.