Maritime cybersecurity researchers have revealed a series of critical vulnerabilities in a widely used maritime IoT platform that would allow a remote attacker to seize complete control of a vessel’s propulsion, navigation, electrical power, ballast, steering, and fire safety systems – entirely from a web browser.
Singapore-based research team Rudra published the findings this week, detailing a chain of four vulnerabilities in SmartShipWeb, a cloud-based platform operated by Smart Ship Hub. At the time of research, the platform was managing active vessels across multiple fleet operators, spanning chemical tankers, bulk carriers, container ships, and offshore vessels operating in Asia, Europe, and the Middle East.
The attack chain begins with common web application flaws – including a password reset mechanism that generates tokens client-side, making them interceptable by any network observer – and ends with unrestricted read and write access to a vessel’s entire file system. From there, researchers were able to map 2,695 Modbus registers across 33 operational systems, 56 NMEA navigation sensor types, and 394 directly controllable points, all with zero authentication on any operational technology protocol.
Technically feasible attack scenarios outlined in the advisory include GPS and gyrocompass spoofing during a port approach, total loss of propulsion and power in a traffic separation scheme, and steering override during port operations.
“This research demonstrates that a single maritime IoT platform can become the bridge an attacker walks from the internet to a vessel’s engine room,” Rudra said. “The vulnerabilities we found are not exotic – they are common web application flaws. What makes them critical is the architecture.”
The vulnerabilities have since been patched following responsible disclosure coordinated through Singapore’s Cyber Security Agency, with no evidence of exploitation in the wild detected during the disclosure period. Rudra initiated vendor notification in June 2025, with patches applied in Q4 2025.
The findings land at a moment of acute sensitivity for maritime cyber resilience. Maritime cyber incidents increased by over 100% in 2025, and IACS Unified Requirements E26 and E27 – mandating cyber resilience standards for all newbuilds contracted since July 2024 – are now enforceable. Rudra warned that regulatory compliance alone is insufficient: “Our research shows what happens when those requirements are not met – and why compliance must be verified at the technical level, not just on paper.”
Sister title SplashTech reported last week that NAVTOR has moved to close high‑severity security holes in its widely deployed NavBox data gateway after independent researcher Cydome reported multiple vulnerabilities affecting legacy devices. NavBox aggregates navigational, engine, and operational data aboard ships, and the highlighted flaws reveal gaps in the cyber resilience of shipboard operational technology as vessels become more connected.
