Carlson Software VASCO-B GNSS Receiver
Summary
A critical vulnerability (CVE-2026-3893) has been identified in Carlson Software's VASCO-B GNSS Receiver versions prior to 1.4.0. This flaw allows remote attackers to alter critical system functions or disrupt device operation due to a missing authentication mechanism for critical functions.
IFF Assessment
The vulnerability's high CVSS score and ease of exploitation pose a significant threat to critical infrastructure, making it bad news for defenders.
Severity
The CVSS score of 9.4 reflects the critical severity due to the lack of authentication (PR:N, UI:N), network attack vector (AV:N), low attack complexity (AC:L), and no scope change (S:U), enabling an attacker to impact critical functions without credentials or user interaction.
Defender Context
This alert highlights a critical vulnerability in GNSS receivers used in critical manufacturing, which could lead to disruption of essential operations. Defenders should prioritize patching or mitigating this flaw by upgrading to version 1.4.0 or later, and maintain network segmentation to limit exposure to unauthorized access.