{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3893", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2026-03-10T16:52:36.791Z", "datePublished": "2026-04-28T17:34:56.130Z", "dateUpdated": "2026-04-28T17:34:56.130Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-04-28T17:34:56.130Z"}, "title": "Carlson Software VASCO-B GNSS Receiver Missing Authentication for Critical Function", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-306", "description": "CWE-306", "type": "CWE"}]}], "affected": [{"vendor": "Carlson Software", "product": "VASCO-B GNSS Receiver", "versions": [{"status": "affected", "version": "0", "lessThan": "1.4.0", "versionType": "custom"}, {"status": "unaffected", "version": "1.4.0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Carlson VASCO-B GNSS Receiver lacks an authentication mechanism, \nallowing an attacker with network access to directly access and modify \nits configuration and operational functions without needing credentials.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The Carlson VASCO-B GNSS Receiver lacks an authentication mechanism, \nallowing an attacker with network access to directly access and modify \nits configuration and operational functions without needing credentials."}]}], "references": [{"url": "https://www.carlsonsw.com/support-and-training/"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-3893"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-02.json"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H"}}], "solutions": [{"lang": "en", "value": "Carlson Software recommends users update to Version 1.4.0 or greater. \nFor more information contact Carlson Software \nhttps://www.carlsonsw.com/support-and-training/", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div>\nCarlson Software recommends users update to Version 1.4.0 or greater. \nFor more information contact Carlson Software \nhttps://www.carlsonsw.com/support-and-training/</div>"}]}], "credits": [{"lang": "en", "value": "Souvik Kandar reported this vulnerability to CISA.", "type": "finder"}], "source": {"advisory": "ICSA-26-113-02", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Carlson VASCO-B GNSS Receiver lacks an authentication mechanism, \nallowing an attacker with network access to directly access and modify \nits configuration and operational functions without needing credentials."}], "id": "CVE-2026-3893", "lastModified": "2026-04-28T20:10:23.367", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.5, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2026-04-28T19:37:39.647", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-02.json"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://www.carlsonsw.com/support-and-training/"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://www.cve.org/CVERecord?id=CVE-2026-3893"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T23:13:06.414657+00:00", "value": {"mitigation_remediation": ["Apply the latest firmware update, version 1.4.0 or later, to restore authentication for the receiver\u2019s configuration interface.", "Restrict network connectivity to the VASCO\u2011B device using firewalls or VLAN segmentation so that only trusted, authenticated sources can reach it.", "Maintain physical and environmental security controls to prevent unauthorized tampering with the device\u2019s hardware or firmware."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Configuration Modification"}, "threat_synthesis": {"affected_systems": "Devices manufactured by Carlson Software that run the VASCO\u2011B GNSS Receiver software with a version earlier than 1.4.0 are affected. The vendor recommends upgrading to version 1.4.0 or later to incorporate the authentication check.", "description_and_impact": "The VASCO-B GNSS Receiver fails to require authentication before allowing access to critical configuration and operational controls. As a result, an attacker who can reach the device over the network can alter its settings, divert its navigation data, or disrupt its operation without any credentials. This flaw enables a full redesign of the receiver\u2019s behavior, potentially causing loss of service, data tampering, or misrouting of navigation signals.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 9.4, indicating a critical risk if exploited. The EPSS score is not available, but the lack of authentication makes exploitation trivial for an attacker with network access. The flaw is not listed in the CISA KEV catalog, yet it remains a high\u2011priority issue due to its potential impact on critical navigation infrastructure."}}}}, "created": "2026-04-28T23:15:43.858746+00:00", "updated": "2026-04-28T23:15:43.858758+00:00", "vendors": []}