By default, SANnav OVA is shipped with root user login enabled. While protected by a password, access to root could expose SANnav to a remote attacker should they gain access to the root account.
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.