CVE-2026-3356
published 2026-03-31CVE-2026-3356: The MS27102A Remote Spectrum Monitor is vulnerable to an authentication bypass that allows unauthorized users to access and manipulate its management…
PriorityP263critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.39%
30.5th percentile
The MS27102A Remote Spectrum Monitor is vulnerable to an authentication bypass that allows unauthorized users to access and manipulate its management interface. Because the device provides no mechanism to enable or configure authentication, the issue is inherent to its design rather than a deployment error.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| anritsu | remote_spectrum_monitor_ms27100a | — | — |
| anritsu | remote_spectrum_monitor_ms27101a | — | — |
| anritsu | remote_spectrum_monitor_ms27102a | — | — |
| anritsu | remote_spectrum_monitor_ms27103a | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The affected devices (MS27100A, MS27101A, MS27102A, MS27103A) have no authentication mechanism on their management interface — any unauthenticated network request to the management interface should be treated as suspicious and investigated. ↗
- →Successful exploitation allows attackers to alter operational settings, obtain sensitive signal data, or disrupt device availability — monitor for unexpected configuration changes or unusual data exfiltration from Anritsu Remote Spectrum Monitor devices on the network. ↗
- ·There is no patch or fix available — Anritsu has no plans to remediate this vulnerability. The only mitigation is network isolation. ↗
- ·The vulnerability is by design, not misconfiguration — the device provides absolutely no mechanism to enable or configure authentication, so there is no hardening option available on the device itself. ↗
- ·No known public exploitation has been reported at time of advisory publication, but the CVSS 3.1 score is 9.8 CRITICAL (AV:N/AC:L/PR:N/UI:N) — network-accessible instances are trivially exploitable with no privileges or user interaction required. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9c77-73hr-45rf: The MS27102A Remote Spectrum Monitor is vulnerable to an authentication bypass that allows unauthorized users to access and manipulate its management
ghsa_unreviewed·2026-03-31
CVE-2026-3356 [CRITICAL] CWE-306 GHSA-9c77-73hr-45rf: The MS27102A Remote Spectrum Monitor is vulnerable to an authentication bypass that allows unauthorized users to access and manipulate its management
The MS27102A Remote Spectrum Monitor is vulnerable to an authentication bypass that allows unauthorized users to access and manipulate its management interface. Because the device provides no mechanism to enable or configure authentication, the issue is inherent to its design rather than a deployment error.
CISA ICS
Anritsu Remote Spectrum Monitor
cisa_ics·2026-03-31·CVSS 9.3
[CRITICAL] Anritsu Remote Spectrum Monitor
ICS Advisory
##
Anritsu Remote Spectrum Monitor
Release DateMarch 31, 2026
Alert CodeICSA-26-090-01
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
Successful exploitation of this vulnerability could allow attackers with network access to alter operational settings, obtain sensitive signal data, or disrupt device availability.
The following versions of Anritsu Remote Spectrum Monitor are affected:
- Remote Spectrum Monitor MS27100A vers:all/* (CVE-2026-3356)
- Remote Spectrum Monitor MS27101A vers:all/* (CVE-2026-3356)
- Remote Spectrum Monitor MS27102A vers:all/* (CVE-2026-3356)
- Remote Spectrum Monitor MS27103A vers:all/* (CVE-2026-3356)
CVSS
Vendor
Equipment
Vulnerabilities
| v3 9.8
| Anrit
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-03-31
Published