What vulnerabilities did Kaleris patch in Navis N4?

Kaleris patched multiple security vulnerabilities in its Navis N4 Terminal Operating System: CVE-2025-2566 (CVSS 9.3) for Deserialization of Untrusted Data, and CVE-2025-5087 (CVSS 6.0) for Cleartext Transmission of Sensitive Information.

What is CVE-2025-2566?

CVE-2025-2566 (CVSS score 9.3) is a Deserialization of Untrusted Data vulnerability caused by unsafe Java deserialization in the Ultra Light Client (ULC) component. An unauthenticated attacker can craft malicious requests to execute arbitrary code on the server, potentially gaining the same privileges as the application server itself.

What is CVE-2025-5087?

CVE-2025-5087 (CVSS score 6.0) is a Cleartext Transmission of Sensitive Information vulnerability that allows attackers capable of observing network traffic between Ultra Light Clients and N4 servers to extract sensitive information, including plaintext credentials, due to insecure communication using zlib-compressed data over HTTP.

Which versions of Navis N4 are affected by these vulnerabilities?

The vulnerabilities affect Navis N4 Terminal Operating System versions prior to 4.0. All installations running older versions should be updated to the patched releases immediately.

What are the patched versions for Navis N4?

Kaleris recommends updating to the following versions or later: Navis N4 Version 3.1.44+, 3.2.26+, 3.3.27+, 3.4.25+, 3.5.18+, 3.6.14+, 3.7.0+, and 3.8.0+. Organizations should choose the appropriate version based on their current major release branch.

Does CVE-2025-2566 require authentication to exploit?

No, CVE-2025-2566 can be exploited by unauthenticated attackers. This makes it particularly dangerous as attackers don't need valid credentials to potentially execute arbitrary code on the server with application server privileges.

What mitigation options are available for organizations unable to immediately update?

For organizations unable to immediately update, Kaleris advises isolating N4 systems from the internet unless absolutely required. If internet exposure is necessary, organizations should disable the Ultra Light Client on exposed nodes by blocking specific URL patterns in load balancers or firewalls, set up VPN connections, use authenticated jump systems, or implement IP address whitelisting as a last resort.

How can network traffic interception affect Navis N4 systems?

Due to CVE-2025-5087, attackers who can observe network traffic between Ultra Light Clients and N4 servers can extract sensitive information, including plaintext credentials. This is because the system uses insecure communication with zlib-compressed data over HTTP rather than encrypted channels.

Why are these vulnerabilities particularly concerning for maritime operations?

These vulnerabilities are particularly concerning because Navis N4 manages critical port operations including vessel berthing, cargo movement, and gate processing. A successful attack could disrupt maritime logistics, affect global supply chains, expose sensitive shipping and cargo information, or potentially allow unauthorized access to port infrastructure systems.

What should port operators do immediately about these Navis N4 vulnerabilities?

Port operators should immediately assess their current Navis N4 version, plan and execute upgrades to the appropriate patched version for their branch, implement network isolation measures if immediate patching isn't possible, review access controls and monitoring for their N4 systems, and contact security@kaleris.com if they need additional guidance. Given the critical nature of CVE-2025-2566 with its 9.3 CVSS score and unauthenticated exploitation potential, this should be treated as an urgent security priority.

Advisory

Security vulnerabilities reported in Kaleris Navis N4 terminal Operating System

Q: What is Navis N4 Terminal Operating System?

Navis N4 is a software system for management of port operations and maritime infrastructure including vessel berthing, cargo movement, yard planning, and gate processing. It's used by ports and terminals worldwide to manage critical maritime logistics operations.

published: June 24, 2025

Take action: If you use Navis N4 Terminal Operating System, first check if it's isolated from the internet or requires internet connectivity. Then, prioritize updating to the latest patched version for your branch. If you can't update right away, isolate your N4 systems from the internet or disable the Ultra Light Client component on any internet-facing systems.

Learn More

Kaleris has patched multiple security vulnerabilities in its Navis N4 Terminal Operating System. Navis N4 is a software for management of port operations and maritime infrastructure like vessel berthing, cargo movement, yard planning, and gate processing.

Vulnerabilities summary

CVE-2025-2566 (CVSS score 9.3) - Deserialization of Untrusted Data - the flaw is caused by unsafe Java deserialization in the Ultra Light Client (ULC) component. An unauthenticated attacker can craft malicious requests to execute arbitrary code on the server, potentially gaining the same privileges as the application server itself.
CVE-2025-5087 (CVSS score 6.0) - Cleartext Transmission of Sensitive Information - this vulnerability allows attackers capable of observing network traffic between Ultra Light Clients and N4 servers to extract sensitive information, including plaintext credentials, due to insecure communication using zlib-compressed data over HTTP.

The vulnerabilities affect Navis N4 Terminal Operating System versions prior to 4.0.

Kaleris has released patches for these vulnerabilities and recommends users implement the following updated versions or later:

Navis N4: Version 3.1.44+
Navis N4: Version 3.2.26+
Navis N4: Version 3.3.27+
Navis N4: Version 3.4.25+
Navis N4: Version 3.5.18+
Navis N4: Version 3.6.14+
Navis N4: Version 3.7.0+
Navis N4: Version 3.8.0+

For organizations unable to immediately update, Kaleris advises isolating the N4 systems from the internet unless absolutely required. Organizations that must expose systems to the internet should disable the Ultra Light Client on exposed nodes by blocking specific URL patterns in load balancers or firewalls. Alternative secure access methods is to set up VPN connections, authenticated jump systems, or whitelisting external IP addresses as a last resort.

Kaleris has proactively sent security advisories to all customers running their software and established a dedicated contact point at security@kaleris.com for additional information.

Security vulnerabilities reported in Kaleris Navis N4 terminal Operating System

Read More
Rockwell Automation fixes critical flaw in AADvance Standalone …
Bitdefender researchers reportd multiple vulnerabilities in Solarman and …
Schneider Electric Patches Critical RCE Vulnerability in SCADAPack …
Unitronics Vision Series VisiLogic Software vulnerable due to …
Multiple critical flaws reported in MICROSENS NMP Web+ …