cbcvebase.
CVE-2026-2417
published 2026-03-24

CVE-2026-2417: A Missing Authentication for Critical Function vulnerability in Pharos Controls Mosaic Show Controller firmware version 2.15.3 could allow an unauthenticated…

PriorityP276critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.57%
43.0th percentile
A Missing Authentication for Critical Function vulnerability in Pharos Controls Mosaic Show Controller firmware version 2.15.3 could allow an unauthenticated attacker to bypass authentication and execute arbitrary commands with root privileges.

Affected

1 ranges
VendorProductVersion rangeFixed in
pharos_controlsmosaic_show_controller

Detection & IOCsextracted from sources · hover to see the quote

  • Target device: Pharos Controls Mosaic Show Controller running firmware version 2.15.3 is the affected product; detect exploitation attempts against this device by monitoring for unauthenticated requests to privileged/command-execution endpoints.
  • Network-reachable attack vector with no privileges or user interaction required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N); monitor for unauthenticated inbound connections to Mosaic Show Controller management interfaces from unexpected sources.
  • CWE-306 (Missing Authentication for Critical Function): look for HTTP/TCP requests that reach privileged or command-execution functions on the controller without any authentication headers/tokens.
  • ·No known public exploitation has been reported at time of advisory publication; no specific exploit code, IOCs, or attack tooling were referenced in the available sources.
  • ·Only firmware version 2.15.3 is confirmed affected; version 2.16 and later are the remediated versions — ensure version fingerprinting is used to scope detection rules appropriately.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.