CVE-2026-3893
Authentication Bypass in Carlson VASCO-B GNSS Receiver Allows Unauthorized Access
Publication date: 2026-04-28
Last updated on: 2026-04-28
Assigner: ICS-CERT
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| carlson_software | vasco-b_gnss_receiver | From 1.4.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not explicitly address how the CVE-2026-3893 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
The CVE-2026-3893 vulnerability affects the Carlson VASCO-B GNSS Receiver, which lacks an authentication mechanism. This means an attacker with network access can directly access and modify the device's configuration and operational functions without needing any credentials.
The vulnerability is critical, with a CVSS v3.1 base score of 9.4, indicating it is easy to exploit remotely without privileges or user interaction, and can lead to significant impact on confidentiality, integrity, and availability.
How can this vulnerability impact me? :
This vulnerability allows a remote attacker to alter critical system functions or disrupt the operation of the Carlson VASCO-B GNSS Receiver without any authentication.
- An attacker can modify device configurations, potentially causing operational failures or incorrect GNSS data.
- It can lead to loss of confidentiality, integrity, and availability of the device's functions.
- The vulnerability impacts critical manufacturing infrastructure worldwide, potentially causing significant operational disruptions.
Organizations are advised to minimize network exposure of such devices, isolate control system networks, use secure remote access methods, and monitor for suspicious activity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unauthorized access or modification attempts to the Carlson VASCO-B GNSS Receiver, which lacks authentication.
Since the device is accessible over the network without authentication, network scanning tools can be used to identify exposed devices.
- Use network scanning commands such as 'nmap' to detect devices with open ports that correspond to the GNSS receiver's management interfaces.
- Monitor network traffic for unusual configuration changes or commands sent to the device.
- Implement logging and alerting on network devices and the GNSS receiver to detect unauthorized access attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include minimizing network exposure of the affected Carlson VASCO-B GNSS Receiver by ensuring it is not accessible from the Internet.
Isolate the control system network containing the device behind firewalls and separate it from business networks.
Use secure remote access methods such as up-to-date VPNs to access the device, while acknowledging their limitations.
Update the affected products to version 1.4.0 or later as advised by Carlson Software to remediate the vulnerability.
Perform impact analysis and risk assessments before deploying mitigations and monitor for suspicious activity with established internal procedures.