Skip to main content

Mosaic Show Controller EUVDEUVD-2026-14960

| CVE-2026-2417 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-03-24 icscert GHSA-g4m3-7qqq-fgp4
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Mar 24, 2026 - 18:31 euvd
EUVD-2026-14960
Analysis Generated
Mar 24, 2026 - 18:31 vuln.today
CVE Published
Mar 24, 2026 - 18:06 nvd
CRITICAL 9.3

DescriptionCVE.org

A Missing Authentication for Critical Function vulnerability in Pharos Controls Mosaic Show Controller firmware version 2.15.3 could allow an unauthenticated attacker to bypass authentication and execute arbitrary commands with root privileges.

AnalysisAI

Unauthenticated remote code execution in Pharos Controls Mosaic Show Controller firmware 2.15.3 enables attackers to bypass authentication and execute arbitrary commands with root privileges without user interaction. This critical vulnerability affects all instances exposed to network access with no available patch. The extremely low EPSS score suggests limited real-world exploitation despite the severe technical impact.

Technical ContextAI

The Pharos Mosaic Show Controller is a networked lighting and show control device used in professional event production and venue management. The vulnerability resides in the firmware of version 2.15.3 and stems from missing authentication checks (CWE-306: Missing Authentication for Critical Function) on critical command execution interfaces. This root cause allows an attacker to interact directly with privileged command handlers without providing valid credentials or tokens. The affected product is identified via CPE cpe:2.3:a:pharos_controls:mosaic_show_controller:*:*:*:*:*:*:*:*, indicating the issue affects the Mosaic Show Controller product line. The lack of proper authentication gates likely affects REST APIs, management interfaces, or network protocols used for remote show control operations.

RemediationAI

Immediately apply the firmware patch provided by Pharos Controls for version 2.15.3 and upgrade to the patched release as detailed in CISA advisory ICSA-26-083-01 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-083-01). Until patching is feasible, implement network segmentation to restrict access to the Mosaic Show Controller to trusted management networks only, disable remote management interfaces if not actively required, and deploy network-based access controls (firewall rules, VLANs) to prevent unauthenticated external access. Monitor system logs and network traffic for suspicious command execution patterns, and consider deploying the controller behind a reverse proxy with mandatory authentication and encryption. Coordinate with Pharos Controls support for interim guidance and patch availability timelines.

Share

EUVD-2026-14960 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy