CVE-2026-2417 CRITICAL

CVE-2026-2417: Missing Authentication for Critical Function in Pharos Controls Mosaic Show Controller

Vendor Pharos Controls
Product Mosaic Show Controller
Weakness CWE-306 · Missing auth
Published March 24, 2026
Last update March 24, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A Missing Authentication for Critical Function vulnerability in Pharos Controls Mosaic Show Controller firmware version 2.15.3 could allow an unauthenticated attacker to bypass authentication and execute arbitrary commands with root privileges.

Key dates

02Disclosure timeline

March 24, 2026 CVE published
March 24, 2026 Record updated