← Back to home
ICSA-25-175-01  ·  Published 2025-06-24  ·  View on CISA ICS-CERT ↗

Kaleris Navis N4 Terminal Operating System

CVSS 9.8 CRITICAL

Risk Summary

Successful exploitation of these vulnerabilities could allow an attacker to remotely exploit the operating system, achieve remote code execution, or extract sensitive information.

CVEs (2)

Remediations

  • Kaleris recommends users to implement the following versions or later:
  • Navis N4: Version 3.1.44+
  • Navis N4: Version 3.2.26+
  • Navis N4: Version 3.3.27+
  • Navis N4: Version 3.4.25+
  • Navis N4: Version 3.5.18+
  • Navis N4: Version 3.6.14+
  • Navis N4: Version 3.7.0+
  • Navis N4: Version 3.8.0+
  • If users are unable to update, Kaleris recommends following these mitigations:
  • If N4 does not need to be exposed to the internet, placing it behind a firewall.
  • If CAP needs to be exposed to the internet, disable the Ultra Light Client on the nodes being exposed. This can be done by blocking the the Ultra Light Client URLs in the load balancer or firewall by blocking the following patterns: "url-pattern*.jnlp</url-pattern" and "url-pattern/ulc</url-pattern"
  • The Ultra Light Client endpoint can also be disabled on the N4 Cluster node by commenting out relevant code in the web.xml file and restarting the server.
  • If the Ultra Light Client must be exposed to the Internet, do one of the following:a. Set up a secure VPN connection to allow access for known external parties.b. Set up an authenticated jump system (Citrix, VDI, Etc).c. Whitelist external allowed IPs. (least secure option)
  • Additionally, the following controls should be applied:a. Restrict the number of N4 nodes exposed to the internet.b. Ensure that HTTPS is enabled and configured on the filewall/loadbalancer.c. Use a reliable third-party party firewall with built in DDOS protection that can detect unwanted intrusions.
  • Users are required to implement TLS in their load balancer. The setup for this is included in the Application Security Guide that is provided to all users.
  • A final option to consider is upgrading to N4 4.0, where the Ultra Light Client has been fully replaced with the HTML UI.
  • Kaleris has sent a security advisory to all customers running Kaleris software.
  • For more information, users should email [email protected]

Affected Vendors

Kaleris

Affected Products (1)

Kaleris · Navis N4 <4.0

Affected Sectors

Transportation Systems

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more