CVE-2026-2417: Pharos Controls RCE via Missing Authentication

Critical Vulnerability in Pharos Controls Mosaic Show Controller Allows Root RCE

A severe vulnerability, tracked as CVE-2026-2417, has been identified in the Pharos Controls Mosaic Show Controller firmware version 2.15.3. This flaw is rated with a CVSS v3.1 base score of 9.8 (CRITICAL), indicating the highest level of severity. Successful exploitation could allow an unauthenticated attacker to bypass security mechanisms and execute arbitrary commands with root privileges, posing a significant threat to controlled environments, particularly those within Critical Infrastructure sectors.

The Pharos Controls Mosaic Show Controller is used worldwide, often in commercial facilities for sophisticated lighting and media control systems. The widespread deployment of these devices underscores the importance of prompt mitigation to prevent potential operational disruption or system compromise. According to CISA ICS Advisory ICSA-26-083-01, no known public exploitation specifically targeting this vulnerability has been reported at this time, but the high CVSS score necessitates immediate attention.

Technical Analysis of CVE-2026-2417 Root Privilege Escalation

This critical vulnerability is categorized as a Missing Authentication for Critical Function (CWE-306). In essence, specific critical functions within the Mosaic Show Controller’s firmware version 2.15.3 do not properly require or enforce authentication. This oversight allows any remote attacker with network access to the device to invoke these functions without prior authorization. The most dangerous aspect of this flaw is its potential for RCE with root privileges.

An attacker exploiting this [Pharos Controls Mosaic Show Controller firmware vulnerability] could leverage the lack of authentication to inject and execute arbitrary commands directly on the device’s underlying operating system. Gaining root access provides full control over the controller, enabling malicious actors to manipulate connected systems, alter device configurations, or even establish persistence for future attacks. The implications range from disrupting lighting and media displays in commercial venues to potentially compromising integrated building management systems, depending on the controller’s specific deployment and network architecture. Organizations using these controllers should understand that the ease of exploitation, requiring no authentication or user interaction, makes this a highly attractive target for malicious actors.

Mitigation and Defensive Strategies for Unauthenticated Command Execution ICS Mitigation

The most critical action for mitigating the CVE-2026-2417 [root privilege escalation] is to upgrade the affected Pharos Controls Mosaic Show Controller firmware. Pharos Controls explicitly recommends that users upgrade to firmware version 2.16 or later. This update addresses the Missing Authentication for Critical Function flaw, restoring the necessary security controls.

Beyond immediate patching, CISA provides broader ICS security best practices that are highly relevant for protecting these types of devices:

• Network Segmentation: Minimize network exposure for all control system devices. Isolate ICS networks from business networks using robust firewalls to prevent unauthorized access and limit potential Lateral Movement if a perimeter breach occurs.
• Secure Remote Access: If remote access to the Mosaic Show Controller is necessary, employ more secure methods such as Virtual Private Networks (VPN). Ensure VPNs are always updated to the most current version and recognize that their security is dependent on the connected devices’ posture.
• Minimize Internet Exposure: Ensure that control system devices are not directly accessible from the internet. Public-facing ICS components dramatically increase attack surface and risk.
• Impact Analysis and Risk Assessment: Perform a thorough risk assessment prior to deploying any defensive measures to understand potential impacts on operational continuity.
• Cybersecurity Training: Educate personnel on recognizing and avoiding Phishing and Social Engineering attacks, which are common initial access vectors for sophisticated threats.

Organizations should implement these layered defensive measures proactively. Monitoring network traffic for unusual activity and integrating ICS security events into existing SIEM solutions can help detect attempted exploitation or compromise. Regular patching, combined with a defense-in-depth strategy, is essential for securing critical operational technology assets.