Skip to main content

VASCO-B GNSS Receiver CVE-2026-3893

| EUVDEUVD-2026-26081 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-04-28 icscert
9.4
CVSS 3.1 · Vendor: icscert
Share

Severity by source

Vendor (icscert) PRIMARY
9.4 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

Primary rating from Vendor (icscert) · only source for this CVE.

CVSS VectorVendor: icscert

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High

Lifecycle Timeline

7
Patch available
Apr 28, 2026 - 21:01 EUVD
Re-analysis Queued
Apr 28, 2026 - 20:23 vuln.today
cvss_changed
Patch released
Apr 28, 2026 - 20:10 nvd
Patch available
Analysis Generated
Apr 28, 2026 - 20:01 vuln.today
EUVD ID Assigned
Apr 28, 2026 - 19:30 euvd
EUVD-2026-26081
Analysis Generated
Apr 28, 2026 - 19:30 vuln.today
CVE Published
Apr 28, 2026 - 17:34 nvd
CRITICAL 9.4

DescriptionCVE.org

The Carlson VASCO-B GNSS Receiver lacks an authentication mechanism, allowing an attacker with network access to directly access and modify its configuration and operational functions without needing credentials.

AnalysisAI

Carlson Software VASCO-B GNSS receivers allow remote unauthenticated attackers to fully access and modify device configuration and operational functions due to complete absence of authentication controls (CWE-306). The network-accessible interface requires no credentials, enabling attackers to compromise device integrity and availability with low attack complexity. EPSS and KEV status not provided in available data; exploitation requires only network connectivity to the device management interface, typical in surveying and precision agriculture deployments where GNSS receivers may be exposed on operational networks.

Technical ContextAI

The VASCO-B is a Global Navigation Satellite System (GNSS) receiver used in surveying, precision agriculture, and geospatial applications requiring high-accuracy positioning data. The vulnerability stems from CWE-306 (Missing Authentication for Critical Function), meaning the device's configuration and control interface implements no authentication mechanism whatsoever. GNSS receivers typically expose web-based or proprietary network management interfaces for configuration of correction services (RTK/PPP), logging parameters, network settings, and operational modes. The CPE string (cpe:2.3:a:carlson_software:vasco-b_gnss_receiver) indicates all versions of the product line are potentially affected, though exact version ranges are not specified in available data. This represents a fundamental security architecture flaw rather than an implementation bug, as the authentication layer was not designed into the product.

RemediationAI

Contact Carlson Software through their support portal at https://www.carlsonsw.com/support-and-training/ to request firmware update status and authentication implementation timeline, as no specific patch version is identified in available data. Until vendor-provided authentication controls are available, implement network-level compensating controls: isolate VASCO-B devices on dedicated VLANs or physically separate network segments with firewall rules permitting management access only from specific authorized administrator workstations (not entire subnets). For cellular-connected units, disable remote management interfaces if field operations permit and require physical access for configuration changes (trade-off: reduces operational flexibility for remote troubleshooting). Deploy network access control (NAC) solutions to authenticate devices attempting to reach GNSS receiver management ports. Monitor network traffic to receiver IP addresses for unauthorized configuration attempts (look for HTTP/HTTPS or proprietary protocol sessions from unexpected sources). For internet-exposed deployments, immediately remove public accessibility and implement VPN-based access with multi-factor authentication. Document all configuration changes and implement change control processes to detect unauthorized modifications through out-of-band verification of device settings.

Share

CVE-2026-3893 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy