CVE-2026-3893
Received Received - Intake
Authentication Bypass in Carlson VASCO-B GNSS Receiver Allows Unauthorized Access

Publication date: 2026-04-28

Last updated on: 2026-04-28

Assigner: ICS-CERT

Description
The Carlson VASCO-B GNSS Receiver lacks an authentication mechanism, allowing an attacker with network access to directly access and modify its configuration and operational functions without needing credentials.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-04-28
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3893
EUVD
EUVD-2026-26081
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
carlson_software vasco-b_gnss_receiver From 1.4.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-3893 vulnerability affects the Carlson VASCO-B GNSS Receiver, which lacks an authentication mechanism. This means an attacker with network access can directly access and modify the device's configuration and operational functions without needing any credentials.

The vulnerability is critical, with a CVSS v3.1 base score of 9.4, indicating it is easy to exploit remotely without privileges or user interaction, and can lead to significant impact on confidentiality, integrity, and availability.

Impact Analysis

This vulnerability allows a remote attacker to alter critical system functions or disrupt the operation of the Carlson VASCO-B GNSS Receiver without any authentication.

  • An attacker can modify device configurations, potentially causing operational failures or incorrect GNSS data.
  • It can lead to loss of confidentiality, integrity, and availability of the device's functions.
  • The vulnerability impacts critical manufacturing infrastructure worldwide, potentially causing significant operational disruptions.

Organizations are advised to minimize network exposure of such devices, isolate control system networks, use secure remote access methods, and monitor for suspicious activity.

Detection Guidance

Detection of this vulnerability involves monitoring for unauthorized access or modification attempts to the Carlson VASCO-B GNSS Receiver, which lacks authentication.

Since the device is accessible over the network without authentication, network scanning tools can be used to identify exposed devices.

  • Use network scanning commands such as 'nmap' to detect devices with open ports that correspond to the GNSS receiver's management interfaces.
  • Monitor network traffic for unusual configuration changes or commands sent to the device.
  • Implement logging and alerting on network devices and the GNSS receiver to detect unauthorized access attempts.
Mitigation Strategies

Immediate mitigation steps include minimizing network exposure of the affected Carlson VASCO-B GNSS Receiver by ensuring it is not accessible from the Internet.

Isolate the control system network containing the device behind firewalls and separate it from business networks.

Use secure remote access methods such as up-to-date VPNs to access the device, while acknowledging their limitations.

Update the affected products to version 1.4.0 or later as advised by Carlson Software to remediate the vulnerability.

Perform impact analysis and risk assessments before deploying mitigations and monitor for suspicious activity with established internal procedures.

Compliance Impact

The provided information does not explicitly address how the CVE-2026-3893 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3893. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart