Skip to main content

Remote Spectrum Monitor Ms27100A CVE-2026-3356

| EUVDEUVD-2026-17585 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-03-31 icscert
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Mar 31, 2026 - 19:01 euvd
EUVD-2026-17585
Analysis Generated
Mar 31, 2026 - 19:01 vuln.today
CVE Published
Mar 31, 2026 - 18:40 nvd
CRITICAL 9.3

DescriptionCVE.org

The MS27102A Remote Spectrum Monitor is vulnerable to an authentication bypass that allows unauthorized users to access and manipulate its management interface. Because the device provides no mechanism to enable or configure authentication, the issue is inherent to its design rather than a deployment error.

AnalysisAI

Anritsu MS27100A/MS27101A/MS27102A/MS27103A Remote Spectrum Monitors contain a design-level authentication bypass allowing unauthenticated remote attackers to fully access and manipulate the management interface. This is not a configuration weakness but an inherent architectural flaw (CWE-306: Missing Authentication) with CVSS 9.3 critical severity. No public exploit identified at time of analysis, but trivial exploitation is expected given the complete absence of authentication mechanisms. ICS-CERT advisory confirms the vulnerability affects operational technology environments.

Technical ContextAI

The vulnerability stems from CWE-306 (Missing Authentication for Critical Function), where Anritsu's Remote Spectrum Monitor product line lacks any built-in authentication framework for its management interface. Spectrum monitors are specialized network analysis devices used in telecommunications and RF testing environments to capture and analyze wireless signals. The affected CPE strings (cpe:2.3:a:anritsu:remote_spectrum_monitor_ms2710*) indicate all versions of the MS27100A, MS27101A, MS27102A, and MS27103A models contain this design flaw. The CVSS 4.0 vector shows network-based attack vector (AV:N), low complexity (AC:L), no attack requirements (AT:N), no privileges required (PR:N), and no user interaction (UI:N), confirming the interface is directly exposed without any authentication layer. This represents a fundamental architectural security failure rather than a patchable implementation bug.

RemediationAI

Upstream fix available (PR/commit); released patched version not independently confirmed from available data. Organizations should immediately consult CISA advisory ICSA-26-090-01 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-090-01 for vendor guidance and firmware availability. As an architectural flaw, remediation requires Anritsu to release firmware adding authentication framework-configuration changes cannot address this issue. Interim compensating controls are critical: isolate affected devices on dedicated management VLANs with strict firewall rules permitting access only from authorized jump hosts or management workstations; implement network access control (802.1X) on switch ports connecting these devices; deploy intrusion detection systems monitoring for unauthorized access attempts; consider VPN or bastion host requirements for any remote management. Do not expose these devices to untrusted networks or the internet. Contact Anritsu technical support for firmware update timeline and emergency mitigation guidance specific to your deployment environment.

Share

CVE-2026-3356 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy