CVE-2026-2417
Missing Authentication in Pharos Mosaic Controller Enables Root Command Execution
Publication date: 2026-03-24
Last updated on: 2026-03-24
Assigner: ICS-CERT
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pharos | controls_mosaic_show_controller | 2.15.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Missing Authentication for Critical Function in the Pharos Controls Mosaic Show Controller firmware version 2.15.3. It allows an unauthenticated attacker to bypass authentication mechanisms and execute arbitrary commands with root privileges on the affected device.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can gain root-level access to the affected device without any authentication. This could lead to unauthorized control over the device, execution of arbitrary commands, potential disruption of services, data manipulation, or further compromise of the network where the device is deployed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know