Missing Authentication for Critical Function in Pharos Controls Mosaic Show Controller

A Missing Authentication for Critical Function vulnerability in Pharos Controls Mosaic Show Controller firmware version 2.15.3 could allow an unauthenticated attacker to bypass authentication and execute arbitrary commands with root privileges.

Problem type

CWE-306 Missing authentication for critical function

Affected products

Pharos Controls

Mosaic Show Controller

2.15.3 - AFFECTED

References

cisa.gov

https://www.cisa.gov/news-events/ics-advisories/icsa-26-083-01

government-resource

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-2417

Click to expand

{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-2417",
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "dateUpdated": "2026-03-24T18:38:05.206Z",
    "dateReserved": "2026-02-12T17:31:30.834Z",
    "datePublished": "2026-03-24T18:06:32.303Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert",
        "dateUpdated": "2026-03-24T18:06:32.303Z"
      },
      "title": "Missing Authentication for Critical Function in Pharos Controls Mosaic Show Controller",
      "descriptions": [
        {
          "lang": "en",
          "value": "A Missing Authentication for Critical Function vulnerability in Pharos Controls Mosaic Show Controller firmware version 2.15.3 could allow an unauthenticated attacker to bypass authentication and execute arbitrary commands with root privileges.",
          "supportingMedia": [
            {
              "type": "text/html",
              "base64": false,
              "value": "<p>A Missing Authentication for Critical Function vulnerability in Pharos Controls Mosaic Show Controller firmware version 2.15.3 could allow an unauthenticated attacker to bypass authentication and execute arbitrary commands with root privileges.</p>"
            }
          ]
        }
      ],
      "affected": [
        {
          "vendor": "Pharos Controls",
          "product": "Mosaic Show Controller",
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "2.15.3",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-306 Missing authentication for critical function",
              "cweId": "CWE-306",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-083-01",
          "tags": [
            "government-resource"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Pharos Controls recommends that users upgrade Mosaic Show Controller to version 2.16 or later.",
          "supportingMedia": [
            {
              "type": "text/html",
              "base64": false,
              "value": "Pharos Controls recommends that users upgrade Mosaic Show Controller to version 2.16 or later."
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "James Tully reported this vulnerability to CISA.",
          "type": "finder"
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2026-03-24T18:38:05.206Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {}
        ]
      }
    ]
  }
}