CVE-2026-2417

CRITICAL

Missing Authentication for Critical Function in Pharos Controls Mosaic Show Controller

Title source: cna

Description

A Missing Authentication for Critical Function vulnerability in Pharos Controls Mosaic Show Controller firmware version 2.15.3 could allow an unauthenticated attacker to bypass authentication and execute arbitrary commands with root privileges.

References (1)

[Government Resource] https://www.cisa.gov/news-events/ics-advisories/icsa-26-083-01

Scores

CVSS v4 9.3

EPSS 0.0018

EPSS Percentile 39.7%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-306

Status published

Products (1)

Pharos Controls/Mosaic Show Controller 2.15.3

Published Mar 24, 2026

Tracked Since Mar 25, 2026